Overview
overview
10Static
static
3ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
3ggpermV3/ggpermV3.exe
windows10-2004-x64
3ggpermV3/m...er.bat
windows7-x64
3ggpermV3/m...er.bat
windows10-2004-x64
3ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09-11-2024 22:49
241109-2r2veatfrl 1009-11-2024 22:47
241109-2qkjqssrdz 1009-11-2024 22:46
241109-2p2fvstfqj 1009-11-2024 22:44
241109-2nsgkasrbt 1007-11-2024 16:00
241107-tfl1taxpgl 1010-02-2024 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
2s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/macchanger.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/woof.bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2304 WMIC.exe Token: SeSecurityPrivilege 2304 WMIC.exe Token: SeTakeOwnershipPrivilege 2304 WMIC.exe Token: SeLoadDriverPrivilege 2304 WMIC.exe Token: SeSystemProfilePrivilege 2304 WMIC.exe Token: SeSystemtimePrivilege 2304 WMIC.exe Token: SeProfSingleProcessPrivilege 2304 WMIC.exe Token: SeIncBasePriorityPrivilege 2304 WMIC.exe Token: SeCreatePagefilePrivilege 2304 WMIC.exe Token: SeBackupPrivilege 2304 WMIC.exe Token: SeRestorePrivilege 2304 WMIC.exe Token: SeShutdownPrivilege 2304 WMIC.exe Token: SeDebugPrivilege 2304 WMIC.exe Token: SeSystemEnvironmentPrivilege 2304 WMIC.exe Token: SeRemoteShutdownPrivilege 2304 WMIC.exe Token: SeUndockPrivilege 2304 WMIC.exe Token: SeManageVolumePrivilege 2304 WMIC.exe Token: 33 2304 WMIC.exe Token: 34 2304 WMIC.exe Token: 35 2304 WMIC.exe Token: SeIncreaseQuotaPrivilege 2304 WMIC.exe Token: SeSecurityPrivilege 2304 WMIC.exe Token: SeTakeOwnershipPrivilege 2304 WMIC.exe Token: SeLoadDriverPrivilege 2304 WMIC.exe Token: SeSystemProfilePrivilege 2304 WMIC.exe Token: SeSystemtimePrivilege 2304 WMIC.exe Token: SeProfSingleProcessPrivilege 2304 WMIC.exe Token: SeIncBasePriorityPrivilege 2304 WMIC.exe Token: SeCreatePagefilePrivilege 2304 WMIC.exe Token: SeBackupPrivilege 2304 WMIC.exe Token: SeRestorePrivilege 2304 WMIC.exe Token: SeShutdownPrivilege 2304 WMIC.exe Token: SeDebugPrivilege 2304 WMIC.exe Token: SeSystemEnvironmentPrivilege 2304 WMIC.exe Token: SeRemoteShutdownPrivilege 2304 WMIC.exe Token: SeUndockPrivilege 2304 WMIC.exe Token: SeManageVolumePrivilege 2304 WMIC.exe Token: 33 2304 WMIC.exe Token: 34 2304 WMIC.exe Token: 35 2304 WMIC.exe Token: SeIncreaseQuotaPrivilege 2948 WMIC.exe Token: SeSecurityPrivilege 2948 WMIC.exe Token: SeTakeOwnershipPrivilege 2948 WMIC.exe Token: SeLoadDriverPrivilege 2948 WMIC.exe Token: SeSystemProfilePrivilege 2948 WMIC.exe Token: SeSystemtimePrivilege 2948 WMIC.exe Token: SeProfSingleProcessPrivilege 2948 WMIC.exe Token: SeIncBasePriorityPrivilege 2948 WMIC.exe Token: SeCreatePagefilePrivilege 2948 WMIC.exe Token: SeBackupPrivilege 2948 WMIC.exe Token: SeRestorePrivilege 2948 WMIC.exe Token: SeShutdownPrivilege 2948 WMIC.exe Token: SeDebugPrivilege 2948 WMIC.exe Token: SeSystemEnvironmentPrivilege 2948 WMIC.exe Token: SeRemoteShutdownPrivilege 2948 WMIC.exe Token: SeUndockPrivilege 2948 WMIC.exe Token: SeManageVolumePrivilege 2948 WMIC.exe Token: 33 2948 WMIC.exe Token: 34 2948 WMIC.exe Token: 35 2948 WMIC.exe Token: SeIncreaseQuotaPrivilege 2948 WMIC.exe Token: SeSecurityPrivilege 2948 WMIC.exe Token: SeTakeOwnershipPrivilege 2948 WMIC.exe Token: SeLoadDriverPrivilege 2948 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 1268 2204 cmd.exe 34 PID 2204 wrote to memory of 1268 2204 cmd.exe 34 PID 2204 wrote to memory of 1268 2204 cmd.exe 34 PID 2204 wrote to memory of 1816 2204 cmd.exe 35 PID 2204 wrote to memory of 1816 2204 cmd.exe 35 PID 2204 wrote to memory of 1816 2204 cmd.exe 35 PID 2204 wrote to memory of 1968 2204 cmd.exe 36 PID 2204 wrote to memory of 1968 2204 cmd.exe 36 PID 2204 wrote to memory of 1968 2204 cmd.exe 36 PID 2204 wrote to memory of 2940 2204 cmd.exe 37 PID 2204 wrote to memory of 2940 2204 cmd.exe 37 PID 2204 wrote to memory of 2940 2204 cmd.exe 37 PID 2940 wrote to memory of 2948 2940 cmd.exe 38 PID 2940 wrote to memory of 2948 2940 cmd.exe 38 PID 2940 wrote to memory of 2948 2940 cmd.exe 38 PID 2940 wrote to memory of 2964 2940 cmd.exe 39 PID 2940 wrote to memory of 2964 2940 cmd.exe 39 PID 2940 wrote to memory of 2964 2940 cmd.exe 39 PID 2204 wrote to memory of 2428 2204 cmd.exe 40 PID 2204 wrote to memory of 2428 2204 cmd.exe 40 PID 2204 wrote to memory of 2428 2204 cmd.exe 40 PID 2204 wrote to memory of 2416 2204 cmd.exe 41 PID 2204 wrote to memory of 2416 2204 cmd.exe 41 PID 2204 wrote to memory of 2416 2204 cmd.exe 41 PID 2204 wrote to memory of 1732 2204 cmd.exe 42 PID 2204 wrote to memory of 1732 2204 cmd.exe 42 PID 2204 wrote to memory of 1732 2204 cmd.exe 42 PID 2204 wrote to memory of 2464 2204 cmd.exe 43 PID 2204 wrote to memory of 2464 2204 cmd.exe 43 PID 2204 wrote to memory of 2464 2204 cmd.exe 43 PID 2204 wrote to memory of 2408 2204 cmd.exe 44 PID 2204 wrote to memory of 2408 2204 cmd.exe 44 PID 2204 wrote to memory of 2408 2204 cmd.exe 44 PID 2408 wrote to memory of 2180 2408 cmd.exe 45 PID 2408 wrote to memory of 2180 2408 cmd.exe 45 PID 2408 wrote to memory of 2180 2408 cmd.exe 45 PID 2204 wrote to memory of 3056 2204 cmd.exe 46 PID 2204 wrote to memory of 3056 2204 cmd.exe 46 PID 2204 wrote to memory of 3056 2204 cmd.exe 46 PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2204 wrote to memory of 2276 2204 cmd.exe 29 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2304 2276 cmd.exe 30 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2276 wrote to memory of 2312 2276 cmd.exe 31 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 2936 2204 cmd.exe 33 PID 2204 wrote to memory of 1268 2204 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2312
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2936
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:1268
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:1816
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 06672B904D51 /f2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2964
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2428
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2416
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:1732
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:2180
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3056
-