7c89499d85795d6727f8d864733b78870f3ce076ed4aa065c8f8cc44ee126b1f

Analysis

max time kernel
113s
max time network
185s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
29-12-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4284 sc.exe
1860 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2816 ipconfig.exe
Runs net.exe
Suspicious behavior: LoadsDriver 26 IoCs

Processes:

pid process

644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644

pid	process
4284	sc.exe
1860	sc.exe

pid	process
2816	ipconfig.exe

pid	process
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe
Token: SeLoadDriverPrivilege	4588	svchost.exe
Token: SeSystemtimePrivilege	4588	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe
Token: SeShutdownPrivilege	4588	svchost.exe
Token: SeSystemEnvironmentPrivilege	4588	svchost.exe
Token: SeUndockPrivilege	4588	svchost.exe
Token: SeManageVolumePrivilege	4588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe
Token: SeLoadDriverPrivilege	4588	svchost.exe
Token: SeSystemtimePrivilege	4588	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe
Token: SeShutdownPrivilege	4588	svchost.exe
Token: SeSystemEnvironmentPrivilege	4588	svchost.exe
Token: SeUndockPrivilege	4588	svchost.exe
Token: SeManageVolumePrivilege	4588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe
Token: SeLoadDriverPrivilege	4588	svchost.exe
Token: SeSystemtimePrivilege	4588	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe
Token: SeShutdownPrivilege	4588	svchost.exe
Token: SeSystemEnvironmentPrivilege	4588	svchost.exe
Token: SeUndockPrivilege	4588	svchost.exe
Token: SeManageVolumePrivilege	4588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe
Token: SeLoadDriverPrivilege	4588	svchost.exe
Token: SeSystemtimePrivilege	4588	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe
Token: SeShutdownPrivilege	4588	svchost.exe
Token: SeSystemEnvironmentPrivilege	4588	svchost.exe
Token: SeUndockPrivilege	4588	svchost.exe
Token: SeManageVolumePrivilege	4588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe
Token: SeLoadDriverPrivilege	4588	svchost.exe
Token: SeSystemtimePrivilege	4588	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe
Token: SeShutdownPrivilege	4588	svchost.exe
Token: SeSystemEnvironmentPrivilege	4588	svchost.exe
Token: SeUndockPrivilege	4588	svchost.exe
Token: SeManageVolumePrivilege	4588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4588	svchost.exe
Token: SeIncreaseQuotaPrivilege	4588	svchost.exe
Token: SeSecurityPrivilege	4588	svchost.exe
Token: SeTakeOwnershipPrivilege	4588	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exe

description	pid	process	target process
PID 236 wrote to memory of 2472	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2472	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2428	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2428	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2828	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2828	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 816	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 816	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3908	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3908	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4044	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4044	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 5004	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 5004	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1400	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1400	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3384	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3384	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 624	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 624	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4664	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4664	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 724	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 724	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2608	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2608	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4636	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4636	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 836	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 836	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3580	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3580	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1544	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1544	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1100	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1100	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1344	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 1344	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 5088	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 5088	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3828	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 3828	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4756	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4756	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4832	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4832	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2688	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2688	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2336	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 2336	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4512	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4512	236	cmd.exe	AMIDEWINx64.EXE
PID 236 wrote to memory of 4088	236	cmd.exe	net.exe
PID 236 wrote to memory of 4088	236	cmd.exe	net.exe
PID 4088 wrote to memory of 528	4088	net.exe	net1.exe
PID 4088 wrote to memory of 528	4088	net.exe	net1.exe
PID 236 wrote to memory of 2232	236	cmd.exe	net.exe
PID 236 wrote to memory of 2232	236	cmd.exe	net.exe
PID 2232 wrote to memory of 3620	2232	net.exe	net1.exe
PID 2232 wrote to memory of 3620	2232	net.exe	net1.exe
PID 236 wrote to memory of 4284	236	cmd.exe	sc.exe
PID 236 wrote to memory of 4284	236	cmd.exe	sc.exe
PID 236 wrote to memory of 1860	236	cmd.exe	sc.exe
PID 236 wrote to memory of 1860	236	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 24821147672851027813
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 16390127262889412201
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 50381759364522850
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 2310273141854626072
  2⤵
  PID:816
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 27874288021435621498
  2⤵
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 1091924819890613313
  2⤵
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 1161226298128223280
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 22275308842557415519
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 55394343162712569
  2⤵
  PID:624
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 168288547753210562
  2⤵
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 2127717898212725821
  2⤵
  PID:724
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 303262118664392828
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 8526105351803420985
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 1621822727295722869
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 301029857302831856
  2⤵
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 7061287801793927528
  2⤵
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 2434148912347825045
  2⤵
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 17879133432510022244
  2⤵
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 4305582191133154
  2⤵
  PID:5088
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 19157225956856445
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 1344519366115431013
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 122311425482606808
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 12424154592316731502
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 1047512329270412706
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 2019579302464511682
  2⤵
  PID:4512
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:528
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:3620
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:4284
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:1860
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

pid	process
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644

pid	process
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644
644