Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
10ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
6ggpermV3/ggpermV3.exe
windows10-2004-x64
3ggpermV3/m...er.bat
windows7-x64
3ggpermV3/m...er.bat
windows10-2004-x64
3ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09/11/2024, 22:49
241109-2r2veatfrl 1009/11/2024, 22:47
241109-2qkjqssrdz 1009/11/2024, 22:46
241109-2p2fvstfqj 1009/11/2024, 22:44
241109-2nsgkasrbt 1007/11/2024, 16:00
241107-tfl1taxpgl 1010/02/2024, 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
1s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/macchanger.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/woof.bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 720 WMIC.exe Token: SeSecurityPrivilege 720 WMIC.exe Token: SeTakeOwnershipPrivilege 720 WMIC.exe Token: SeLoadDriverPrivilege 720 WMIC.exe Token: SeSystemProfilePrivilege 720 WMIC.exe Token: SeSystemtimePrivilege 720 WMIC.exe Token: SeProfSingleProcessPrivilege 720 WMIC.exe Token: SeIncBasePriorityPrivilege 720 WMIC.exe Token: SeCreatePagefilePrivilege 720 WMIC.exe Token: SeBackupPrivilege 720 WMIC.exe Token: SeRestorePrivilege 720 WMIC.exe Token: SeShutdownPrivilege 720 WMIC.exe Token: SeDebugPrivilege 720 WMIC.exe Token: SeSystemEnvironmentPrivilege 720 WMIC.exe Token: SeRemoteShutdownPrivilege 720 WMIC.exe Token: SeUndockPrivilege 720 WMIC.exe Token: SeManageVolumePrivilege 720 WMIC.exe Token: 33 720 WMIC.exe Token: 34 720 WMIC.exe Token: 35 720 WMIC.exe Token: 36 720 WMIC.exe Token: SeIncreaseQuotaPrivilege 720 WMIC.exe Token: SeSecurityPrivilege 720 WMIC.exe Token: SeTakeOwnershipPrivilege 720 WMIC.exe Token: SeLoadDriverPrivilege 720 WMIC.exe Token: SeSystemProfilePrivilege 720 WMIC.exe Token: SeSystemtimePrivilege 720 WMIC.exe Token: SeProfSingleProcessPrivilege 720 WMIC.exe Token: SeIncBasePriorityPrivilege 720 WMIC.exe Token: SeCreatePagefilePrivilege 720 WMIC.exe Token: SeBackupPrivilege 720 WMIC.exe Token: SeRestorePrivilege 720 WMIC.exe Token: SeShutdownPrivilege 720 WMIC.exe Token: SeDebugPrivilege 720 WMIC.exe Token: SeSystemEnvironmentPrivilege 720 WMIC.exe Token: SeRemoteShutdownPrivilege 720 WMIC.exe Token: SeUndockPrivilege 720 WMIC.exe Token: SeManageVolumePrivilege 720 WMIC.exe Token: 33 720 WMIC.exe Token: 34 720 WMIC.exe Token: 35 720 WMIC.exe Token: 36 720 WMIC.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe Token: SeSecurityPrivilege 1584 WMIC.exe Token: SeTakeOwnershipPrivilege 1584 WMIC.exe Token: SeLoadDriverPrivilege 1584 WMIC.exe Token: SeSystemProfilePrivilege 1584 WMIC.exe Token: SeSystemtimePrivilege 1584 WMIC.exe Token: SeProfSingleProcessPrivilege 1584 WMIC.exe Token: SeIncBasePriorityPrivilege 1584 WMIC.exe Token: SeCreatePagefilePrivilege 1584 WMIC.exe Token: SeBackupPrivilege 1584 WMIC.exe Token: SeRestorePrivilege 1584 WMIC.exe Token: SeShutdownPrivilege 1584 WMIC.exe Token: SeDebugPrivilege 1584 WMIC.exe Token: SeSystemEnvironmentPrivilege 1584 WMIC.exe Token: SeRemoteShutdownPrivilege 1584 WMIC.exe Token: SeUndockPrivilege 1584 WMIC.exe Token: SeManageVolumePrivilege 1584 WMIC.exe Token: 33 1584 WMIC.exe Token: 34 1584 WMIC.exe Token: 35 1584 WMIC.exe Token: 36 1584 WMIC.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 4800 4032 cmd.exe 84 PID 4032 wrote to memory of 4800 4032 cmd.exe 84 PID 4800 wrote to memory of 720 4800 cmd.exe 85 PID 4800 wrote to memory of 720 4800 cmd.exe 85 PID 4800 wrote to memory of 3256 4800 cmd.exe 86 PID 4800 wrote to memory of 3256 4800 cmd.exe 86 PID 4032 wrote to memory of 1016 4032 cmd.exe 88 PID 4032 wrote to memory of 1016 4032 cmd.exe 88 PID 4032 wrote to memory of 4584 4032 cmd.exe 89 PID 4032 wrote to memory of 4584 4032 cmd.exe 89 PID 4032 wrote to memory of 2328 4032 cmd.exe 90 PID 4032 wrote to memory of 2328 4032 cmd.exe 90 PID 4032 wrote to memory of 2320 4032 cmd.exe 91 PID 4032 wrote to memory of 2320 4032 cmd.exe 91 PID 4032 wrote to memory of 4312 4032 cmd.exe 93 PID 4032 wrote to memory of 4312 4032 cmd.exe 93 PID 4312 wrote to memory of 1584 4312 cmd.exe 94 PID 4312 wrote to memory of 1584 4312 cmd.exe 94 PID 4312 wrote to memory of 4596 4312 cmd.exe 95 PID 4312 wrote to memory of 4596 4312 cmd.exe 95 PID 4032 wrote to memory of 2196 4032 cmd.exe 96 PID 4032 wrote to memory of 2196 4032 cmd.exe 96 PID 4032 wrote to memory of 5040 4032 cmd.exe 97 PID 4032 wrote to memory of 5040 4032 cmd.exe 97 PID 4032 wrote to memory of 840 4032 cmd.exe 99 PID 4032 wrote to memory of 840 4032 cmd.exe 99 PID 4032 wrote to memory of 4512 4032 cmd.exe 100 PID 4032 wrote to memory of 4512 4032 cmd.exe 100 PID 4032 wrote to memory of 3496 4032 cmd.exe 101 PID 4032 wrote to memory of 3496 4032 cmd.exe 101 PID 3496 wrote to memory of 4716 3496 cmd.exe 102 PID 3496 wrote to memory of 4716 3496 cmd.exe 102 PID 4032 wrote to memory of 4080 4032 cmd.exe 103 PID 4032 wrote to memory of 4080 4032 cmd.exe 103 PID 4032 wrote to memory of 4800 4032 cmd.exe 84 PID 4032 wrote to memory of 4800 4032 cmd.exe 84 PID 4800 wrote to memory of 720 4800 cmd.exe 85 PID 4800 wrote to memory of 720 4800 cmd.exe 85 PID 4800 wrote to memory of 3256 4800 cmd.exe 86 PID 4800 wrote to memory of 3256 4800 cmd.exe 86 PID 4032 wrote to memory of 1016 4032 cmd.exe 88 PID 4032 wrote to memory of 1016 4032 cmd.exe 88 PID 4032 wrote to memory of 4584 4032 cmd.exe 89 PID 4032 wrote to memory of 4584 4032 cmd.exe 89 PID 4032 wrote to memory of 2328 4032 cmd.exe 90 PID 4032 wrote to memory of 2328 4032 cmd.exe 90 PID 4032 wrote to memory of 2320 4032 cmd.exe 91 PID 4032 wrote to memory of 2320 4032 cmd.exe 91 PID 4032 wrote to memory of 4312 4032 cmd.exe 93 PID 4032 wrote to memory of 4312 4032 cmd.exe 93 PID 4312 wrote to memory of 1584 4312 cmd.exe 94 PID 4312 wrote to memory of 1584 4312 cmd.exe 94 PID 4312 wrote to memory of 4596 4312 cmd.exe 95 PID 4312 wrote to memory of 4596 4312 cmd.exe 95 PID 4032 wrote to memory of 2196 4032 cmd.exe 96 PID 4032 wrote to memory of 2196 4032 cmd.exe 96 PID 4032 wrote to memory of 5040 4032 cmd.exe 97 PID 4032 wrote to memory of 5040 4032 cmd.exe 97 PID 4032 wrote to memory of 840 4032 cmd.exe 99 PID 4032 wrote to memory of 840 4032 cmd.exe 99 PID 4032 wrote to memory of 4512 4032 cmd.exe 100 PID 4032 wrote to memory of 4512 4032 cmd.exe 100 PID 4032 wrote to memory of 3496 4032 cmd.exe 101 PID 4032 wrote to memory of 3496 4032 cmd.exe 101
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:3256
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:1016
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:4584
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:2328
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 4A5D9ABCB88E /f2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:4596
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:2196
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:5040
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:840
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:4716
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4080
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:5108