c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2336	sc.exe
2168	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
664	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2412	1704	cmd.exe	31
PID 1704 wrote to memory of 2412	1704	cmd.exe	31
PID 1704 wrote to memory of 2412	1704	cmd.exe	31
PID 1704 wrote to memory of 2420	1704	cmd.exe	32
PID 1704 wrote to memory of 2420	1704	cmd.exe	32
PID 1704 wrote to memory of 2420	1704	cmd.exe	32
PID 1704 wrote to memory of 2556	1704	cmd.exe	33
PID 1704 wrote to memory of 2556	1704	cmd.exe	33
PID 1704 wrote to memory of 2556	1704	cmd.exe	33
PID 1704 wrote to memory of 2088	1704	cmd.exe	34
PID 1704 wrote to memory of 2088	1704	cmd.exe	34
PID 1704 wrote to memory of 2088	1704	cmd.exe	34
PID 1704 wrote to memory of 2560	1704	cmd.exe	35
PID 1704 wrote to memory of 2560	1704	cmd.exe	35
PID 1704 wrote to memory of 2560	1704	cmd.exe	35
PID 1704 wrote to memory of 2376	1704	cmd.exe	36
PID 1704 wrote to memory of 2376	1704	cmd.exe	36
PID 1704 wrote to memory of 2376	1704	cmd.exe	36
PID 1704 wrote to memory of 2524	1704	cmd.exe	37
PID 1704 wrote to memory of 2524	1704	cmd.exe	37
PID 1704 wrote to memory of 2524	1704	cmd.exe	37
PID 1704 wrote to memory of 1908	1704	cmd.exe	38
PID 1704 wrote to memory of 1908	1704	cmd.exe	38
PID 1704 wrote to memory of 1908	1704	cmd.exe	38
PID 1704 wrote to memory of 2952	1704	cmd.exe	39
PID 1704 wrote to memory of 2952	1704	cmd.exe	39
PID 1704 wrote to memory of 2952	1704	cmd.exe	39
PID 1704 wrote to memory of 2080	1704	cmd.exe	40
PID 1704 wrote to memory of 2080	1704	cmd.exe	40
PID 1704 wrote to memory of 2080	1704	cmd.exe	40
PID 1704 wrote to memory of 2956	1704	cmd.exe	41
PID 1704 wrote to memory of 2956	1704	cmd.exe	41
PID 1704 wrote to memory of 2956	1704	cmd.exe	41
PID 1704 wrote to memory of 2804	1704	cmd.exe	42
PID 1704 wrote to memory of 2804	1704	cmd.exe	42
PID 1704 wrote to memory of 2804	1704	cmd.exe	42
PID 1704 wrote to memory of 2468	1704	cmd.exe	43
PID 1704 wrote to memory of 2468	1704	cmd.exe	43
PID 1704 wrote to memory of 2468	1704	cmd.exe	43
PID 1704 wrote to memory of 2268	1704	cmd.exe	44
PID 1704 wrote to memory of 2268	1704	cmd.exe	44
PID 1704 wrote to memory of 2268	1704	cmd.exe	44
PID 1704 wrote to memory of 2760	1704	cmd.exe	45
PID 1704 wrote to memory of 2760	1704	cmd.exe	45
PID 1704 wrote to memory of 2760	1704	cmd.exe	45
PID 1704 wrote to memory of 2768	1704	cmd.exe	46
PID 1704 wrote to memory of 2768	1704	cmd.exe	46
PID 1704 wrote to memory of 2768	1704	cmd.exe	46
PID 1704 wrote to memory of 2884	1704	cmd.exe	47
PID 1704 wrote to memory of 2884	1704	cmd.exe	47
PID 1704 wrote to memory of 2884	1704	cmd.exe	47
PID 1704 wrote to memory of 2908	1704	cmd.exe	48
PID 1704 wrote to memory of 2908	1704	cmd.exe	48
PID 1704 wrote to memory of 2908	1704	cmd.exe	48
PID 1704 wrote to memory of 2888	1704	cmd.exe	49
PID 1704 wrote to memory of 2888	1704	cmd.exe	49
PID 1704 wrote to memory of 2888	1704	cmd.exe	49
PID 1704 wrote to memory of 3036	1704	cmd.exe	50
PID 1704 wrote to memory of 3036	1704	cmd.exe	50
PID 1704 wrote to memory of 3036	1704	cmd.exe	50
PID 1704 wrote to memory of 2776	1704	cmd.exe	51
PID 1704 wrote to memory of 2776	1704	cmd.exe	51
PID 1704 wrote to memory of 2776	1704	cmd.exe	51
PID 1704 wrote to memory of 3032	1704	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 25418151663037916883
  2⤵
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 20767213762966513986
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 2953771823161411828
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 19121827186316099
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 2788321768190155430
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 23056270052981528219
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 755613273221431809
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 396215567251719642
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 1911611906272977887
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 10831109141238632101
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 25670194162833612014
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 5014221172274322867
  2⤵
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 18202235581604615840
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 26744222981924019856
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 3923262439021131
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 5314265852318321229
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 314891836280674297
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 32103267011550019310
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 237043484131109704
  2⤵
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 1510011572598522218
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 753632462120211323
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 256598419834130447
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 20547228011701429768
  2⤵
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 2675313248193141147
  2⤵
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 2142618181674426600
  2⤵
  PID:2736
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2708
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:1440
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:664