Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
10ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
6ggpermV3/ggpermV3.exe
windows10-2004-x64
3ggpermV3/m...er.bat
windows7-x64
3ggpermV3/m...er.bat
windows10-2004-x64
3ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09/11/2024, 22:49
241109-2r2veatfrl 1009/11/2024, 22:47
241109-2qkjqssrdz 1009/11/2024, 22:46
241109-2p2fvstfqj 1009/11/2024, 22:44
241109-2nsgkasrbt 1007/11/2024, 16:00
241107-tfl1taxpgl 1010/02/2024, 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
1s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/macchanger.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/woof.bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2528 WMIC.exe Token: SeSecurityPrivilege 2528 WMIC.exe Token: SeTakeOwnershipPrivilege 2528 WMIC.exe Token: SeLoadDriverPrivilege 2528 WMIC.exe Token: SeSystemProfilePrivilege 2528 WMIC.exe Token: SeSystemtimePrivilege 2528 WMIC.exe Token: SeProfSingleProcessPrivilege 2528 WMIC.exe Token: SeIncBasePriorityPrivilege 2528 WMIC.exe Token: SeCreatePagefilePrivilege 2528 WMIC.exe Token: SeBackupPrivilege 2528 WMIC.exe Token: SeRestorePrivilege 2528 WMIC.exe Token: SeShutdownPrivilege 2528 WMIC.exe Token: SeDebugPrivilege 2528 WMIC.exe Token: SeSystemEnvironmentPrivilege 2528 WMIC.exe Token: SeRemoteShutdownPrivilege 2528 WMIC.exe Token: SeUndockPrivilege 2528 WMIC.exe Token: SeManageVolumePrivilege 2528 WMIC.exe Token: 33 2528 WMIC.exe Token: 34 2528 WMIC.exe Token: 35 2528 WMIC.exe Token: SeIncreaseQuotaPrivilege 2528 WMIC.exe Token: SeSecurityPrivilege 2528 WMIC.exe Token: SeTakeOwnershipPrivilege 2528 WMIC.exe Token: SeLoadDriverPrivilege 2528 WMIC.exe Token: SeSystemProfilePrivilege 2528 WMIC.exe Token: SeSystemtimePrivilege 2528 WMIC.exe Token: SeProfSingleProcessPrivilege 2528 WMIC.exe Token: SeIncBasePriorityPrivilege 2528 WMIC.exe Token: SeCreatePagefilePrivilege 2528 WMIC.exe Token: SeBackupPrivilege 2528 WMIC.exe Token: SeRestorePrivilege 2528 WMIC.exe Token: SeShutdownPrivilege 2528 WMIC.exe Token: SeDebugPrivilege 2528 WMIC.exe Token: SeSystemEnvironmentPrivilege 2528 WMIC.exe Token: SeRemoteShutdownPrivilege 2528 WMIC.exe Token: SeUndockPrivilege 2528 WMIC.exe Token: SeManageVolumePrivilege 2528 WMIC.exe Token: 33 2528 WMIC.exe Token: 34 2528 WMIC.exe Token: 35 2528 WMIC.exe Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe Token: SeSystemProfilePrivilege 3064 WMIC.exe Token: SeSystemtimePrivilege 3064 WMIC.exe Token: SeProfSingleProcessPrivilege 3064 WMIC.exe Token: SeIncBasePriorityPrivilege 3064 WMIC.exe Token: SeCreatePagefilePrivilege 3064 WMIC.exe Token: SeBackupPrivilege 3064 WMIC.exe Token: SeRestorePrivilege 3064 WMIC.exe Token: SeShutdownPrivilege 3064 WMIC.exe Token: SeDebugPrivilege 3064 WMIC.exe Token: SeSystemEnvironmentPrivilege 3064 WMIC.exe Token: SeRemoteShutdownPrivilege 3064 WMIC.exe Token: SeUndockPrivilege 3064 WMIC.exe Token: SeManageVolumePrivilege 3064 WMIC.exe Token: 33 3064 WMIC.exe Token: 34 3064 WMIC.exe Token: 35 3064 WMIC.exe Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2936 2932 cmd.exe 36 PID 2932 wrote to memory of 2936 2932 cmd.exe 36 PID 2932 wrote to memory of 2936 2932 cmd.exe 36 PID 2932 wrote to memory of 2704 2932 cmd.exe 37 PID 2932 wrote to memory of 2704 2932 cmd.exe 37 PID 2932 wrote to memory of 2704 2932 cmd.exe 37 PID 2932 wrote to memory of 2268 2932 cmd.exe 38 PID 2932 wrote to memory of 2268 2932 cmd.exe 38 PID 2932 wrote to memory of 2268 2932 cmd.exe 38 PID 2932 wrote to memory of 2908 2932 cmd.exe 39 PID 2932 wrote to memory of 2908 2932 cmd.exe 39 PID 2932 wrote to memory of 2908 2932 cmd.exe 39 PID 2908 wrote to memory of 3064 2908 cmd.exe 40 PID 2908 wrote to memory of 3064 2908 cmd.exe 40 PID 2908 wrote to memory of 3064 2908 cmd.exe 40 PID 2908 wrote to memory of 2856 2908 cmd.exe 41 PID 2908 wrote to memory of 2856 2908 cmd.exe 41 PID 2908 wrote to memory of 2856 2908 cmd.exe 41 PID 2932 wrote to memory of 3040 2932 cmd.exe 42 PID 2932 wrote to memory of 3040 2932 cmd.exe 42 PID 2932 wrote to memory of 3040 2932 cmd.exe 42 PID 2932 wrote to memory of 2720 2932 cmd.exe 43 PID 2932 wrote to memory of 2720 2932 cmd.exe 43 PID 2932 wrote to memory of 2720 2932 cmd.exe 43 PID 2932 wrote to memory of 2548 2932 cmd.exe 44 PID 2932 wrote to memory of 2548 2932 cmd.exe 44 PID 2932 wrote to memory of 2548 2932 cmd.exe 44 PID 2932 wrote to memory of 2832 2932 cmd.exe 45 PID 2932 wrote to memory of 2832 2932 cmd.exe 45 PID 2932 wrote to memory of 2832 2932 cmd.exe 45 PID 2932 wrote to memory of 2744 2932 cmd.exe 46 PID 2932 wrote to memory of 2744 2932 cmd.exe 46 PID 2932 wrote to memory of 2744 2932 cmd.exe 46 PID 2744 wrote to memory of 2808 2744 cmd.exe 47 PID 2744 wrote to memory of 2808 2744 cmd.exe 47 PID 2744 wrote to memory of 2808 2744 cmd.exe 47 PID 2932 wrote to memory of 2708 2932 cmd.exe 48 PID 2932 wrote to memory of 2708 2932 cmd.exe 48 PID 2932 wrote to memory of 2708 2932 cmd.exe 48 PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2932 wrote to memory of 2468 2932 cmd.exe 31 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2528 2468 cmd.exe 32 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2468 wrote to memory of 2144 2468 cmd.exe 33 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2820 2932 cmd.exe 35 PID 2932 wrote to memory of 2936 2932 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2144
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2820
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2936
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2704
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 7EDD413DA44A /f2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2856
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:3040
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2720
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2548
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:2808
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2708
-