Overview
overview
10Static
static
3ggpermV3.rar
windows10-2004-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows10-2004-x64
10ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows10-2004-x64
3ggpermV3/m...er.bat
windows10-2004-x64
3ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.pdb
windows10-2004-x64
3ggpermV3/s...g.json
windows10-2004-x64
3ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09/11/2024, 22:49
241109-2r2veatfrl 1009/11/2024, 22:47
241109-2qkjqssrdz 1009/11/2024, 22:46
241109-2p2fvstfqj 1009/11/2024, 22:44
241109-2nsgkasrbt 1007/11/2024, 16:00
241107-tfl1taxpgl 1010/02/2024, 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
2s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ggpermV3.rar
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20241007-en
defense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
windows10-2004-x64
22 signatures
150 seconds
Behavioral task
behavioral7
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral9
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
ggpermV3/sxghr-driver.pdb
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral13
Sample
ggpermV3/sxghr-driver.runtimeconfig.json
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Score
3/10
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3428 WMIC.exe Token: SeSecurityPrivilege 3428 WMIC.exe Token: SeTakeOwnershipPrivilege 3428 WMIC.exe Token: SeLoadDriverPrivilege 3428 WMIC.exe Token: SeSystemProfilePrivilege 3428 WMIC.exe Token: SeSystemtimePrivilege 3428 WMIC.exe Token: SeProfSingleProcessPrivilege 3428 WMIC.exe Token: SeIncBasePriorityPrivilege 3428 WMIC.exe Token: SeCreatePagefilePrivilege 3428 WMIC.exe Token: SeBackupPrivilege 3428 WMIC.exe Token: SeRestorePrivilege 3428 WMIC.exe Token: SeShutdownPrivilege 3428 WMIC.exe Token: SeDebugPrivilege 3428 WMIC.exe Token: SeSystemEnvironmentPrivilege 3428 WMIC.exe Token: SeRemoteShutdownPrivilege 3428 WMIC.exe Token: SeUndockPrivilege 3428 WMIC.exe Token: SeManageVolumePrivilege 3428 WMIC.exe Token: 33 3428 WMIC.exe Token: 34 3428 WMIC.exe Token: 35 3428 WMIC.exe Token: 36 3428 WMIC.exe Token: SeIncreaseQuotaPrivilege 3428 WMIC.exe Token: SeSecurityPrivilege 3428 WMIC.exe Token: SeTakeOwnershipPrivilege 3428 WMIC.exe Token: SeLoadDriverPrivilege 3428 WMIC.exe Token: SeSystemProfilePrivilege 3428 WMIC.exe Token: SeSystemtimePrivilege 3428 WMIC.exe Token: SeProfSingleProcessPrivilege 3428 WMIC.exe Token: SeIncBasePriorityPrivilege 3428 WMIC.exe Token: SeCreatePagefilePrivilege 3428 WMIC.exe Token: SeBackupPrivilege 3428 WMIC.exe Token: SeRestorePrivilege 3428 WMIC.exe Token: SeShutdownPrivilege 3428 WMIC.exe Token: SeDebugPrivilege 3428 WMIC.exe Token: SeSystemEnvironmentPrivilege 3428 WMIC.exe Token: SeRemoteShutdownPrivilege 3428 WMIC.exe Token: SeUndockPrivilege 3428 WMIC.exe Token: SeManageVolumePrivilege 3428 WMIC.exe Token: 33 3428 WMIC.exe Token: 34 3428 WMIC.exe Token: 35 3428 WMIC.exe Token: 36 3428 WMIC.exe Token: SeIncreaseQuotaPrivilege 2332 WMIC.exe Token: SeSecurityPrivilege 2332 WMIC.exe Token: SeTakeOwnershipPrivilege 2332 WMIC.exe Token: SeLoadDriverPrivilege 2332 WMIC.exe Token: SeSystemProfilePrivilege 2332 WMIC.exe Token: SeSystemtimePrivilege 2332 WMIC.exe Token: SeProfSingleProcessPrivilege 2332 WMIC.exe Token: SeIncBasePriorityPrivilege 2332 WMIC.exe Token: SeCreatePagefilePrivilege 2332 WMIC.exe Token: SeBackupPrivilege 2332 WMIC.exe Token: SeRestorePrivilege 2332 WMIC.exe Token: SeShutdownPrivilege 2332 WMIC.exe Token: SeDebugPrivilege 2332 WMIC.exe Token: SeSystemEnvironmentPrivilege 2332 WMIC.exe Token: SeRemoteShutdownPrivilege 2332 WMIC.exe Token: SeUndockPrivilege 2332 WMIC.exe Token: SeManageVolumePrivilege 2332 WMIC.exe Token: 33 2332 WMIC.exe Token: 34 2332 WMIC.exe Token: 35 2332 WMIC.exe Token: 36 2332 WMIC.exe Token: SeIncreaseQuotaPrivilege 2332 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3648 wrote to memory of 2820 3648 cmd.exe 85 PID 3648 wrote to memory of 2820 3648 cmd.exe 85 PID 2820 wrote to memory of 3428 2820 cmd.exe 86 PID 2820 wrote to memory of 3428 2820 cmd.exe 86 PID 2820 wrote to memory of 4488 2820 cmd.exe 87 PID 2820 wrote to memory of 4488 2820 cmd.exe 87 PID 3648 wrote to memory of 3092 3648 cmd.exe 90 PID 3648 wrote to memory of 3092 3648 cmd.exe 90 PID 3648 wrote to memory of 2136 3648 cmd.exe 91 PID 3648 wrote to memory of 2136 3648 cmd.exe 91 PID 3648 wrote to memory of 4512 3648 cmd.exe 92 PID 3648 wrote to memory of 4512 3648 cmd.exe 92 PID 3648 wrote to memory of 1640 3648 cmd.exe 93 PID 3648 wrote to memory of 1640 3648 cmd.exe 93 PID 3648 wrote to memory of 3716 3648 cmd.exe 94 PID 3648 wrote to memory of 3716 3648 cmd.exe 94 PID 3716 wrote to memory of 2332 3716 cmd.exe 95 PID 3716 wrote to memory of 2332 3716 cmd.exe 95 PID 3716 wrote to memory of 4016 3716 cmd.exe 96 PID 3716 wrote to memory of 4016 3716 cmd.exe 96 PID 3648 wrote to memory of 768 3648 cmd.exe 97 PID 3648 wrote to memory of 768 3648 cmd.exe 97 PID 3648 wrote to memory of 4472 3648 cmd.exe 98 PID 3648 wrote to memory of 4472 3648 cmd.exe 98 PID 3648 wrote to memory of 2568 3648 cmd.exe 99 PID 3648 wrote to memory of 2568 3648 cmd.exe 99 PID 3648 wrote to memory of 4552 3648 cmd.exe 100 PID 3648 wrote to memory of 4552 3648 cmd.exe 100 PID 3648 wrote to memory of 5008 3648 cmd.exe 101 PID 3648 wrote to memory of 5008 3648 cmd.exe 101 PID 5008 wrote to memory of 60 5008 cmd.exe 102 PID 5008 wrote to memory of 60 5008 cmd.exe 102 PID 3648 wrote to memory of 1508 3648 cmd.exe 104 PID 3648 wrote to memory of 1508 3648 cmd.exe 104 PID 3648 wrote to memory of 2820 3648 cmd.exe 85 PID 3648 wrote to memory of 2820 3648 cmd.exe 85 PID 2820 wrote to memory of 3428 2820 cmd.exe 86 PID 2820 wrote to memory of 3428 2820 cmd.exe 86 PID 2820 wrote to memory of 4488 2820 cmd.exe 87 PID 2820 wrote to memory of 4488 2820 cmd.exe 87 PID 3648 wrote to memory of 3092 3648 cmd.exe 90 PID 3648 wrote to memory of 3092 3648 cmd.exe 90 PID 3648 wrote to memory of 2136 3648 cmd.exe 91 PID 3648 wrote to memory of 2136 3648 cmd.exe 91 PID 3648 wrote to memory of 4512 3648 cmd.exe 92 PID 3648 wrote to memory of 4512 3648 cmd.exe 92 PID 3648 wrote to memory of 1640 3648 cmd.exe 93 PID 3648 wrote to memory of 1640 3648 cmd.exe 93 PID 3648 wrote to memory of 3716 3648 cmd.exe 94 PID 3648 wrote to memory of 3716 3648 cmd.exe 94 PID 3716 wrote to memory of 2332 3716 cmd.exe 95 PID 3716 wrote to memory of 2332 3716 cmd.exe 95 PID 3716 wrote to memory of 4016 3716 cmd.exe 96 PID 3716 wrote to memory of 4016 3716 cmd.exe 96 PID 3648 wrote to memory of 768 3648 cmd.exe 97 PID 3648 wrote to memory of 768 3648 cmd.exe 97 PID 3648 wrote to memory of 4472 3648 cmd.exe 98 PID 3648 wrote to memory of 4472 3648 cmd.exe 98 PID 3648 wrote to memory of 2568 3648 cmd.exe 99 PID 3648 wrote to memory of 2568 3648 cmd.exe 99 PID 3648 wrote to memory of 4552 3648 cmd.exe 100 PID 3648 wrote to memory of 4552 3648 cmd.exe 100 PID 3648 wrote to memory of 5008 3648 cmd.exe 101 PID 3648 wrote to memory of 5008 3648 cmd.exe 101
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:4488
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:3092
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:2136
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:4512
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d B6AB10D6986A /f2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:4016
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:768
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:4472
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:2568
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:60
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1508
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:4272