15ba48e43afbe0d0ba05d7befbfd4073c459d3335280c5885ecd2cb9f07b7970

Resubmissions

22-03-2024 00:33

240322-awglgsff8s 10

22-03-2024 00:29

240322-atdrtaff4z 8

22-03-2024 00:14

240322-ajp24afd9s 10

Analysis

max time kernel
245s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4732 sc.exe
4688 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1572 ipconfig.exe
Runs net.exe
Suspicious behavior: LoadsDriver 26 IoCs

Processes:

pid process

616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616

pid	process
4732	sc.exe
4688	sc.exe

pid	process
1572	ipconfig.exe

pid	process
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeBackupPrivilege	2572	svchost.exe
Token: SeRestorePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exe

description	pid	process	target process
PID 4432 wrote to memory of 4800	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4800	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3080	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3080	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4160	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4160	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 704	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 704	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4560	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4560	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 1052	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 1052	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3248	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3248	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3968	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3968	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4612	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4612	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4616	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4616	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4760	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4760	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4596	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4596	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 216	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 216	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 1668	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 1668	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 828	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 828	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 212	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 212	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 2800	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 2800	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4396	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4396	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4820	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4820	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 2664	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 2664	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3012	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3012	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3588	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3588	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3056	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3056	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4640	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4640	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3604	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 3604	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4920	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4920	4432	cmd.exe	AMIDEWINx64.EXE
PID 4432 wrote to memory of 4316	4432	cmd.exe	net.exe
PID 4432 wrote to memory of 4316	4432	cmd.exe	net.exe
PID 4316 wrote to memory of 4268	4316	net.exe	net1.exe
PID 4316 wrote to memory of 4268	4316	net.exe	net1.exe
PID 4432 wrote to memory of 2148	4432	cmd.exe	net.exe
PID 4432 wrote to memory of 2148	4432	cmd.exe	net.exe
PID 2148 wrote to memory of 1524	2148	net.exe	net1.exe
PID 2148 wrote to memory of 1524	2148	net.exe	net1.exe
PID 4432 wrote to memory of 4688	4432	cmd.exe	sc.exe
PID 4432 wrote to memory of 4688	4432	cmd.exe	sc.exe
PID 4432 wrote to memory of 4732	4432	cmd.exe	sc.exe
PID 4432 wrote to memory of 4732	4432	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 23910218581905611571
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 29783289452537230787
  2⤵
  PID:3080
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 1924024284297708527
  2⤵
  PID:4160
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 30083157582154419996
  2⤵
  PID:704
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 18726304011778130651
  2⤵
  PID:4560
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 222589124228415481
  2⤵
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 3129512028632428339
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 2929922633296422750
  2⤵
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 15059319792826725477
  2⤵
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 5273185961161514468
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 30534137923050013077
  2⤵
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 23353320823178329241
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 4737234561178827226
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 920020515495514894
  2⤵
  PID:828
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 236641456888618142
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 2714286662427125448
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 62771993959751858
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 3068413680748222592
  2⤵
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 517232539692999
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 16284182572936725315
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 19829260991421718054
  2⤵
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 203563869288817874
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 1056595122469731881
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 2803432137197919315
  2⤵
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 1488575062614221936
  2⤵
  PID:4920
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4268
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:1524
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:4688
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:4732
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2572
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

pid	process
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616

pid	process
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616
616