b6e0e05dfc876baa96c0e6b1b9de9dd7a16ed070106f53fa1daf26e10ed07040

Analysis

max time kernel
1177s
max time network
1163s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

920 sc.exe
3272 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3428 ipconfig.exe
Runs net.exe
Suspicious behavior: LoadsDriver 26 IoCs

Processes:

pid process

680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

pid	process
920	sc.exe
3272	sc.exe

pid	process
3428	ipconfig.exe

pid	process
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe
Token: SeLoadDriverPrivilege	4800	svchost.exe
Token: SeSystemtimePrivilege	4800	svchost.exe
Token: SeBackupPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeSystemEnvironmentPrivilege	4800	svchost.exe
Token: SeUndockPrivilege	4800	svchost.exe
Token: SeManageVolumePrivilege	4800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe
Token: SeLoadDriverPrivilege	4800	svchost.exe
Token: SeSystemtimePrivilege	4800	svchost.exe
Token: SeBackupPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeSystemEnvironmentPrivilege	4800	svchost.exe
Token: SeUndockPrivilege	4800	svchost.exe
Token: SeManageVolumePrivilege	4800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe
Token: SeLoadDriverPrivilege	4800	svchost.exe
Token: SeSystemtimePrivilege	4800	svchost.exe
Token: SeBackupPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeSystemEnvironmentPrivilege	4800	svchost.exe
Token: SeUndockPrivilege	4800	svchost.exe
Token: SeManageVolumePrivilege	4800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe
Token: SeLoadDriverPrivilege	4800	svchost.exe
Token: SeSystemtimePrivilege	4800	svchost.exe
Token: SeBackupPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeSystemEnvironmentPrivilege	4800	svchost.exe
Token: SeUndockPrivilege	4800	svchost.exe
Token: SeManageVolumePrivilege	4800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe
Token: SeLoadDriverPrivilege	4800	svchost.exe
Token: SeSystemtimePrivilege	4800	svchost.exe
Token: SeBackupPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeShutdownPrivilege	4800	svchost.exe
Token: SeSystemEnvironmentPrivilege	4800	svchost.exe
Token: SeUndockPrivilege	4800	svchost.exe
Token: SeManageVolumePrivilege	4800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	4800	svchost.exe
Token: SeSecurityPrivilege	4800	svchost.exe
Token: SeTakeOwnershipPrivilege	4800	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exe

description	pid	process	target process
PID 3872 wrote to memory of 2296	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2296	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2972	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2972	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2616	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2616	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 436	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 436	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4072	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4072	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3276	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3276	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 648	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 648	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1172	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1172	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3940	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3940	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3540	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3540	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3580	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3580	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 948	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 948	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1392	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1392	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1536	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1536	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4608	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4608	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3548	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3548	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2608	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 2608	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3008	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3008	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3128	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3128	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3648	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3648	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3704	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3704	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3284	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3284	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4868	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 4868	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3744	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 3744	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1836	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1836	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1644	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1644	3872	cmd.exe	AMIDEWINx64.EXE
PID 3872 wrote to memory of 1960	3872	cmd.exe	net.exe
PID 3872 wrote to memory of 1960	3872	cmd.exe	net.exe
PID 1960 wrote to memory of 3420	1960	net.exe	net1.exe
PID 1960 wrote to memory of 3420	1960	net.exe	net1.exe
PID 3872 wrote to memory of 4088	3872	cmd.exe	net.exe
PID 3872 wrote to memory of 4088	3872	cmd.exe	net.exe
PID 4088 wrote to memory of 2288	4088	net.exe	net1.exe
PID 4088 wrote to memory of 2288	4088	net.exe	net1.exe
PID 3872 wrote to memory of 920	3872	cmd.exe	sc.exe
PID 3872 wrote to memory of 920	3872	cmd.exe	sc.exe
PID 3872 wrote to memory of 3272	3872	cmd.exe	sc.exe
PID 3872 wrote to memory of 3272	3872	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 35594072881219385
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 28151109372053014849
  2⤵
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 26005195272731524
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 240371559124123674
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 29175279751705017224
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 31737111771267415023
  2⤵
  PID:3276
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 6839500814522023
  2⤵
  PID:648
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 69311762932995138
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 4721165971942163
  2⤵
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 2981313114278389257
  2⤵
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 168163765922426455
  2⤵
  PID:948
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 27209140242392924646
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 2481715021300647084
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 23064116212508427183
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 29131417035677973
  2⤵
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 32596274582718811422
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 20820251581059416548
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 26064254442292818369
  2⤵
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 2937366742058830914
  2⤵
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 277158228755919899
  2⤵
  PID:3704
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 1067824303304513659
  2⤵
  PID:3284
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 2221729912152020257
  2⤵
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 127817190109152751
  2⤵
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 29025218255214206
  2⤵
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 21110111532084232467
  2⤵
  PID:1644
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:3420
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:2288
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:3272
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4800
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

pid	process
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

pid	process
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680