c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
120s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3660	sc.exe
5040	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4496	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4048	2856	cmd.exe	86
PID 2856 wrote to memory of 4048	2856	cmd.exe	86
PID 2856 wrote to memory of 920	2856	cmd.exe	87
PID 2856 wrote to memory of 920	2856	cmd.exe	87
PID 2856 wrote to memory of 4040	2856	cmd.exe	88
PID 2856 wrote to memory of 4040	2856	cmd.exe	88
PID 2856 wrote to memory of 3128	2856	cmd.exe	89
PID 2856 wrote to memory of 3128	2856	cmd.exe	89
PID 2856 wrote to memory of 1700	2856	cmd.exe	90
PID 2856 wrote to memory of 1700	2856	cmd.exe	90
PID 2856 wrote to memory of 2464	2856	cmd.exe	91
PID 2856 wrote to memory of 2464	2856	cmd.exe	91
PID 2856 wrote to memory of 376	2856	cmd.exe	92
PID 2856 wrote to memory of 376	2856	cmd.exe	92
PID 2856 wrote to memory of 3896	2856	cmd.exe	93
PID 2856 wrote to memory of 3896	2856	cmd.exe	93
PID 2856 wrote to memory of 3136	2856	cmd.exe	94
PID 2856 wrote to memory of 3136	2856	cmd.exe	94
PID 2856 wrote to memory of 1872	2856	cmd.exe	95
PID 2856 wrote to memory of 1872	2856	cmd.exe	95
PID 2856 wrote to memory of 3364	2856	cmd.exe	96
PID 2856 wrote to memory of 3364	2856	cmd.exe	96
PID 2856 wrote to memory of 2452	2856	cmd.exe	97
PID 2856 wrote to memory of 2452	2856	cmd.exe	97
PID 2856 wrote to memory of 5044	2856	cmd.exe	98
PID 2856 wrote to memory of 5044	2856	cmd.exe	98
PID 2856 wrote to memory of 4772	2856	cmd.exe	99
PID 2856 wrote to memory of 4772	2856	cmd.exe	99
PID 2856 wrote to memory of 1396	2856	cmd.exe	100
PID 2856 wrote to memory of 1396	2856	cmd.exe	100
PID 2856 wrote to memory of 2056	2856	cmd.exe	101
PID 2856 wrote to memory of 2056	2856	cmd.exe	101
PID 2856 wrote to memory of 3928	2856	cmd.exe	102
PID 2856 wrote to memory of 3928	2856	cmd.exe	102
PID 2856 wrote to memory of 4512	2856	cmd.exe	103
PID 2856 wrote to memory of 4512	2856	cmd.exe	103
PID 2856 wrote to memory of 2720	2856	cmd.exe	104
PID 2856 wrote to memory of 2720	2856	cmd.exe	104
PID 2856 wrote to memory of 1912	2856	cmd.exe	105
PID 2856 wrote to memory of 1912	2856	cmd.exe	105
PID 2856 wrote to memory of 2640	2856	cmd.exe	106
PID 2856 wrote to memory of 2640	2856	cmd.exe	106
PID 2856 wrote to memory of 4916	2856	cmd.exe	107
PID 2856 wrote to memory of 4916	2856	cmd.exe	107
PID 2856 wrote to memory of 2008	2856	cmd.exe	108
PID 2856 wrote to memory of 2008	2856	cmd.exe	108
PID 2856 wrote to memory of 2980	2856	cmd.exe	109
PID 2856 wrote to memory of 2980	2856	cmd.exe	109
PID 2856 wrote to memory of 2060	2856	cmd.exe	110
PID 2856 wrote to memory of 2060	2856	cmd.exe	110
PID 2856 wrote to memory of 3864	2856	cmd.exe	111
PID 2856 wrote to memory of 3864	2856	cmd.exe	111
PID 2856 wrote to memory of 4636	2856	cmd.exe	112
PID 2856 wrote to memory of 4636	2856	cmd.exe	112
PID 4636 wrote to memory of 1356	4636	net.exe	113
PID 4636 wrote to memory of 1356	4636	net.exe	113
PID 2856 wrote to memory of 4872	2856	cmd.exe	114
PID 2856 wrote to memory of 4872	2856	cmd.exe	114
PID 4872 wrote to memory of 3456	4872	net.exe	115
PID 4872 wrote to memory of 3456	4872	net.exe	115
PID 2856 wrote to memory of 3660	2856	cmd.exe	117
PID 2856 wrote to memory of 3660	2856	cmd.exe	117
PID 2856 wrote to memory of 5040	2856	cmd.exe	118
PID 2856 wrote to memory of 5040	2856	cmd.exe	118

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 26706105053079822262
  2⤵
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 500123132157899229
  2⤵
  PID:920
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 227613061017486673
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 15873156251225915666
  2⤵
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 676198071290112381
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 31048144001833610324
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 16044254681893012940
  2⤵
  PID:376
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 531026531748814261
  2⤵
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 2578718231960929167
  2⤵
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 1141623360145434923
  2⤵
  PID:3364
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 2345710402190712335
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 251844815203217135
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 31168146131591523128
  2⤵
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 25970162421253718814
  2⤵
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 1371265692275427481
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 1932832212768520155
  2⤵
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 9756229741125924197
  2⤵
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 1460718730592023067
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 213781398961612821
  2⤵
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 2303332293290707480
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 22391174632916331140
  2⤵
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 1072953731062920046
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 19905183728686177
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 32983634143514801
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 5308183733025232033
  2⤵
  PID:3864
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:1356
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:3456
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:3660
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...