Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3ggpermV3.rar
windows7-x64
3ggpermV3.rar
windows10-2004-x64
7ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
1ggpermV3/ggpermV3.exe
windows10-2004-x64
1ggpermV3/m...er.bat
windows7-x64
1ggpermV3/m...er.bat
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.pdb
windows7-x64
3ggpermV3/s...er.pdb
windows10-2004-x64
3ggpermV3/s...g.json
windows7-x64
3ggpermV3/s...g.json
windows10-2004-x64
3ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09/11/2024, 22:49
241109-2r2veatfrl 1009/11/2024, 22:47
241109-2qkjqssrdz 1009/11/2024, 22:46
241109-2p2fvstfqj 1009/11/2024, 22:44
241109-2nsgkasrbt 1007/11/2024, 16:00
241107-tfl1taxpgl 1010/02/2024, 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2024, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3.rar
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3.rar
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/macchanger.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ggpermV3/sxghr-driver.pdb
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
ggpermV3/sxghr-driver.pdb
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ggpermV3/sxghr-driver.runtimeconfig.json
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
ggpermV3/sxghr-driver.runtimeconfig.json
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ggpermV3/woof.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral28
Sample
ggpermV3/woof.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
ggpermV3/Final_Cleaner.bat
-
Size
107KB
-
MD5
98f1a0eebcb5f4798662a40323b05a7e
-
SHA1
068e288005c04b8d859c44d3767613a8036bdb11
-
SHA256
00023ce602db623e47de1029595339eec4ee5019c6017236c9b721cac0ae4032
-
SHA512
6cfda16ce56b1173b91bd86c0f977f022a0b01a77142a15f66d865ee3f00ffee6aa2df7571edcccac41f7d680a9c4c536991abd91e86a00b083b8f9f37a39cf7
-
SSDEEP
768:S/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLgwJyo:Kg8gUDRnvplQL5LvLpLjLnn
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Kills process with taskkill 5 IoCs
pid Process 1748 taskkill.exe 3036 taskkill.exe 404 taskkill.exe 316 taskkill.exe 3000 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 404 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 1652 taskmgr.exe Token: SeSystemProfilePrivilege 1652 taskmgr.exe Token: SeCreateGlobalPrivilege 1652 taskmgr.exe Token: 33 1652 taskmgr.exe Token: SeIncBasePriorityPrivilege 1652 taskmgr.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4076 wrote to memory of 1748 4076 cmd.exe 84 PID 4076 wrote to memory of 1748 4076 cmd.exe 84 PID 4076 wrote to memory of 3036 4076 cmd.exe 86 PID 4076 wrote to memory of 3036 4076 cmd.exe 86 PID 4076 wrote to memory of 404 4076 cmd.exe 87 PID 4076 wrote to memory of 404 4076 cmd.exe 87 PID 4076 wrote to memory of 316 4076 cmd.exe 88 PID 4076 wrote to memory of 316 4076 cmd.exe 88 PID 4076 wrote to memory of 3000 4076 cmd.exe 89 PID 4076 wrote to memory of 3000 4076 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\Final_Cleaner.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652