b6e0e05dfc876baa96c0e6b1b9de9dd7a16ed070106f53fa1daf26e10ed07040

Analysis

max time kernel
1s
max time network
1169s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/macchanger.bat
Size

2KB
MD5

c0b8d81370dd4defc9317dc6c204d581
SHA1

fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
SHA256

4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
SHA512

271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5104	WMIC.exe
Token: SeSecurityPrivilege	5104	WMIC.exe
Token: SeTakeOwnershipPrivilege	5104	WMIC.exe
Token: SeLoadDriverPrivilege	5104	WMIC.exe
Token: SeSystemProfilePrivilege	5104	WMIC.exe
Token: SeSystemtimePrivilege	5104	WMIC.exe
Token: SeProfSingleProcessPrivilege	5104	WMIC.exe
Token: SeIncBasePriorityPrivilege	5104	WMIC.exe
Token: SeCreatePagefilePrivilege	5104	WMIC.exe
Token: SeBackupPrivilege	5104	WMIC.exe
Token: SeRestorePrivilege	5104	WMIC.exe
Token: SeShutdownPrivilege	5104	WMIC.exe
Token: SeDebugPrivilege	5104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5104	WMIC.exe
Token: SeRemoteShutdownPrivilege	5104	WMIC.exe
Token: SeUndockPrivilege	5104	WMIC.exe
Token: SeManageVolumePrivilege	5104	WMIC.exe
Token: 33	5104	WMIC.exe
Token: 34	5104	WMIC.exe
Token: 35	5104	WMIC.exe
Token: 36	5104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5104	WMIC.exe
Token: SeSecurityPrivilege	5104	WMIC.exe
Token: SeTakeOwnershipPrivilege	5104	WMIC.exe
Token: SeLoadDriverPrivilege	5104	WMIC.exe
Token: SeSystemProfilePrivilege	5104	WMIC.exe
Token: SeSystemtimePrivilege	5104	WMIC.exe
Token: SeProfSingleProcessPrivilege	5104	WMIC.exe
Token: SeIncBasePriorityPrivilege	5104	WMIC.exe
Token: SeCreatePagefilePrivilege	5104	WMIC.exe
Token: SeBackupPrivilege	5104	WMIC.exe
Token: SeRestorePrivilege	5104	WMIC.exe
Token: SeShutdownPrivilege	5104	WMIC.exe
Token: SeDebugPrivilege	5104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5104	WMIC.exe
Token: SeRemoteShutdownPrivilege	5104	WMIC.exe
Token: SeUndockPrivilege	5104	WMIC.exe
Token: SeManageVolumePrivilege	5104	WMIC.exe
Token: 33	5104	WMIC.exe
Token: 34	5104	WMIC.exe
Token: 35	5104	WMIC.exe
Token: 36	5104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: 36	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 4904 wrote to memory of 3500	4904	cmd.exe	78
PID 4904 wrote to memory of 3500	4904	cmd.exe	78
PID 3500 wrote to memory of 5104	3500	cmd.exe	79
PID 3500 wrote to memory of 5104	3500	cmd.exe	79
PID 3500 wrote to memory of 4688	3500	cmd.exe	80
PID 3500 wrote to memory of 4688	3500	cmd.exe	80
PID 4904 wrote to memory of 2376	4904	cmd.exe	82
PID 4904 wrote to memory of 2376	4904	cmd.exe	82
PID 4904 wrote to memory of 4228	4904	cmd.exe	84
PID 4904 wrote to memory of 4228	4904	cmd.exe	84
PID 4904 wrote to memory of 2664	4904	cmd.exe	83
PID 4904 wrote to memory of 2664	4904	cmd.exe	83
PID 4904 wrote to memory of 2084	4904	cmd.exe	85
PID 4904 wrote to memory of 2084	4904	cmd.exe	85
PID 4904 wrote to memory of 4892	4904	cmd.exe	86
PID 4904 wrote to memory of 4892	4904	cmd.exe	86
PID 4892 wrote to memory of 1992	4892	cmd.exe	88
PID 4892 wrote to memory of 1992	4892	cmd.exe	88
PID 4892 wrote to memory of 2916	4892	cmd.exe	87
PID 4892 wrote to memory of 2916	4892	cmd.exe	87
PID 4904 wrote to memory of 660	4904	cmd.exe	89
PID 4904 wrote to memory of 660	4904	cmd.exe	89
PID 4904 wrote to memory of 1176	4904	cmd.exe	90
PID 4904 wrote to memory of 1176	4904	cmd.exe	90
PID 4904 wrote to memory of 3168	4904	cmd.exe	91
PID 4904 wrote to memory of 3168	4904	cmd.exe	91
PID 4904 wrote to memory of 4576	4904	cmd.exe	92
PID 4904 wrote to memory of 4576	4904	cmd.exe	92
PID 4904 wrote to memory of 4668	4904	cmd.exe	93
PID 4904 wrote to memory of 4668	4904	cmd.exe	93
PID 4668 wrote to memory of 1376	4668	cmd.exe	94
PID 4668 wrote to memory of 1376	4668	cmd.exe	94
PID 4904 wrote to memory of 2000	4904	cmd.exe	95
PID 4904 wrote to memory of 2000	4904	cmd.exe	95
PID 4904 wrote to memory of 3500	4904	cmd.exe	175
PID 4904 wrote to memory of 3500	4904	cmd.exe	175
PID 3500 wrote to memory of 5104	3500	cmd.exe	176
PID 3500 wrote to memory of 5104	3500	cmd.exe	176
PID 3500 wrote to memory of 4688	3500	cmd.exe	177
PID 3500 wrote to memory of 4688	3500	cmd.exe	177
PID 4904 wrote to memory of 2376	4904	cmd.exe	179
PID 4904 wrote to memory of 2376	4904	cmd.exe	179
PID 4904 wrote to memory of 4228	4904	cmd.exe	181
PID 4904 wrote to memory of 4228	4904	cmd.exe	181
PID 4904 wrote to memory of 2664	4904	cmd.exe	180
PID 4904 wrote to memory of 2664	4904	cmd.exe	180
PID 4904 wrote to memory of 2084	4904	cmd.exe	182
PID 4904 wrote to memory of 2084	4904	cmd.exe	182
PID 4904 wrote to memory of 4892	4904	cmd.exe	183
PID 4904 wrote to memory of 4892	4904	cmd.exe	183
PID 4892 wrote to memory of 1992	4892	cmd.exe	185
PID 4892 wrote to memory of 1992	4892	cmd.exe	185
PID 4892 wrote to memory of 2916	4892	cmd.exe	184
PID 4892 wrote to memory of 2916	4892	cmd.exe	184
PID 4904 wrote to memory of 660	4904	cmd.exe	186
PID 4904 wrote to memory of 660	4904	cmd.exe	186
PID 4904 wrote to memory of 1176	4904	cmd.exe	187
PID 4904 wrote to memory of 1176	4904	cmd.exe	187
PID 4904 wrote to memory of 3168	4904	cmd.exe	188
PID 4904 wrote to memory of 3168	4904	cmd.exe	188
PID 4904 wrote to memory of 4576	4904	cmd.exe	189
PID 4904 wrote to memory of 4576	4904	cmd.exe	189
PID 4904 wrote to memory of 4668	4904	cmd.exe	190
PID 4904 wrote to memory of 4668	4904	cmd.exe	190

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:4688
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d AE55C5B90595 /f
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:660
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:3168
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
  2⤵
  PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
    3⤵
    PID:1376
- C:\Windows\system32\netsh.exe
  netsh interface set interface name="Ethernet" disable
  2⤵
  PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    PID:5104
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:4688
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:4228
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d AE55C5B90595 /f
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    PID:1992
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:660
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:3168
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
  2⤵
  PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
  2⤵
  PID:4668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
    3⤵
    PID:1376
- C:\Windows\system32\netsh.exe
  netsh interface set interface name="Ethernet" disable
  2⤵
  PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:3108

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads