Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3ggpermV3.rar
windows7-x64
3ggpermV3.rar
windows10-2004-x64
7ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
1ggpermV3/ggpermV3.exe
windows10-2004-x64
1ggpermV3/m...er.bat
windows7-x64
1ggpermV3/m...er.bat
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.pdb
windows7-x64
3ggpermV3/s...er.pdb
windows10-2004-x64
3ggpermV3/s...g.json
windows7-x64
3ggpermV3/s...g.json
windows10-2004-x64
3ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09/11/2024, 22:49 UTC
241109-2r2veatfrl 1009/11/2024, 22:47 UTC
241109-2qkjqssrdz 1009/11/2024, 22:46 UTC
241109-2p2fvstfqj 1009/11/2024, 22:44 UTC
241109-2nsgkasrbt 1007/11/2024, 16:00 UTC
241107-tfl1taxpgl 1010/02/2024, 17:17 UTC
240210-vtnl8sge36 10Analysis
-
max time kernel
3s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/02/2024, 17:17 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3.rar
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3.rar
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/macchanger.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ggpermV3/sxghr-driver.pdb
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
ggpermV3/sxghr-driver.pdb
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ggpermV3/sxghr-driver.runtimeconfig.json
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
ggpermV3/sxghr-driver.runtimeconfig.json
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ggpermV3/woof.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral28
Sample
ggpermV3/woof.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2488 2208 cmd.exe 29 PID 2208 wrote to memory of 2488 2208 cmd.exe 29 PID 2208 wrote to memory of 2488 2208 cmd.exe 29 PID 2488 wrote to memory of 2216 2488 cmd.exe 30 PID 2488 wrote to memory of 2216 2488 cmd.exe 30 PID 2488 wrote to memory of 2216 2488 cmd.exe 30 PID 2488 wrote to memory of 2100 2488 cmd.exe 31 PID 2488 wrote to memory of 2100 2488 cmd.exe 31 PID 2488 wrote to memory of 2100 2488 cmd.exe 31 PID 2208 wrote to memory of 2788 2208 cmd.exe 33 PID 2208 wrote to memory of 2788 2208 cmd.exe 33 PID 2208 wrote to memory of 2788 2208 cmd.exe 33 PID 2208 wrote to memory of 2820 2208 cmd.exe 34 PID 2208 wrote to memory of 2820 2208 cmd.exe 34 PID 2208 wrote to memory of 2820 2208 cmd.exe 34 PID 2208 wrote to memory of 2852 2208 cmd.exe 35 PID 2208 wrote to memory of 2852 2208 cmd.exe 35 PID 2208 wrote to memory of 2852 2208 cmd.exe 35 PID 2208 wrote to memory of 2780 2208 cmd.exe 36 PID 2208 wrote to memory of 2780 2208 cmd.exe 36 PID 2208 wrote to memory of 2780 2208 cmd.exe 36 PID 2208 wrote to memory of 2736 2208 cmd.exe 37 PID 2208 wrote to memory of 2736 2208 cmd.exe 37 PID 2208 wrote to memory of 2736 2208 cmd.exe 37 PID 2736 wrote to memory of 2712 2736 cmd.exe 38 PID 2736 wrote to memory of 2712 2736 cmd.exe 38 PID 2736 wrote to memory of 2712 2736 cmd.exe 38 PID 2736 wrote to memory of 2344 2736 cmd.exe 39 PID 2736 wrote to memory of 2344 2736 cmd.exe 39 PID 2736 wrote to memory of 2344 2736 cmd.exe 39 PID 2208 wrote to memory of 2772 2208 cmd.exe 40 PID 2208 wrote to memory of 2772 2208 cmd.exe 40 PID 2208 wrote to memory of 2772 2208 cmd.exe 40 PID 2208 wrote to memory of 2896 2208 cmd.exe 41 PID 2208 wrote to memory of 2896 2208 cmd.exe 41 PID 2208 wrote to memory of 2896 2208 cmd.exe 41 PID 2208 wrote to memory of 2604 2208 cmd.exe 42 PID 2208 wrote to memory of 2604 2208 cmd.exe 42 PID 2208 wrote to memory of 2604 2208 cmd.exe 42 PID 2208 wrote to memory of 1492 2208 cmd.exe 43 PID 2208 wrote to memory of 1492 2208 cmd.exe 43 PID 2208 wrote to memory of 1492 2208 cmd.exe 43 PID 2208 wrote to memory of 2716 2208 cmd.exe 44 PID 2208 wrote to memory of 2716 2208 cmd.exe 44 PID 2208 wrote to memory of 2716 2208 cmd.exe 44 PID 2716 wrote to memory of 2844 2716 cmd.exe 45 PID 2716 wrote to memory of 2844 2716 cmd.exe 45 PID 2716 wrote to memory of 2844 2716 cmd.exe 45 PID 2208 wrote to memory of 2580 2208 cmd.exe 46 PID 2208 wrote to memory of 2580 2208 cmd.exe 46 PID 2208 wrote to memory of 2580 2208 cmd.exe 46 PID 2208 wrote to memory of 2488 2208 cmd.exe 75 PID 2208 wrote to memory of 2488 2208 cmd.exe 75 PID 2208 wrote to memory of 2488 2208 cmd.exe 75 PID 2488 wrote to memory of 2216 2488 cmd.exe 76 PID 2488 wrote to memory of 2216 2488 cmd.exe 76 PID 2488 wrote to memory of 2216 2488 cmd.exe 76 PID 2488 wrote to memory of 2100 2488 cmd.exe 77 PID 2488 wrote to memory of 2100 2488 cmd.exe 77 PID 2488 wrote to memory of 2100 2488 cmd.exe 77 PID 2208 wrote to memory of 2788 2208 cmd.exe 79 PID 2208 wrote to memory of 2788 2208 cmd.exe 79 PID 2208 wrote to memory of 2788 2208 cmd.exe 79 PID 2208 wrote to memory of 2820 2208 cmd.exe 80
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2100
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2788
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2820
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2852
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 3A8F84882413 /f2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2344
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2772
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2896
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2604
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:2844
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection" disable2⤵PID:2580
-
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵PID:2216
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2100
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2788
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2820
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2852
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 3A8F84882413 /f2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵PID:2736
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵PID:2712
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2344
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2772
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2896
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2604
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵PID:2716
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:2844
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection" disable2⤵PID:2580
-