Overview
overview
10Static
static
3ggpermV3/A...64.exe
windows7-x64
1ggpermV3/A...64.exe
windows10-2004-x64
1ggpermV3/F...er.bat
windows7-x64
1ggpermV3/F...er.bat
windows10-2004-x64
1ggpermV3/N...on.dll
windows7-x64
1ggpermV3/N...on.dll
windows10-2004-x64
1ggpermV3/S...UI.dll
windows7-x64
1ggpermV3/S...UI.dll
windows10-2004-x64
1ggpermV3/T...er.exe
windows7-x64
ggpermV3/T...er.exe
windows10-2004-x64
ggpermV3/a...64.sys
windows7-x64
1ggpermV3/a...64.sys
windows10-2004-x64
1ggpermV3/ggpermV3.exe
windows7-x64
3ggpermV3/ggpermV3.exe
windows10-2004-x64
3ggpermV3/m...er.bat
windows7-x64
3ggpermV3/m...er.bat
windows10-2004-x64
3ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/s...er.exe
windows7-x64
1ggpermV3/s...er.exe
windows10-2004-x64
1ggpermV3/woof.bat
windows7-x64
8ggpermV3/woof.bat
windows10-2004-x64
8Resubmissions
09-11-2024 22:49
241109-2r2veatfrl 1009-11-2024 22:47
241109-2qkjqssrdz 1009-11-2024 22:46
241109-2p2fvstfqj 1009-11-2024 22:44
241109-2nsgkasrbt 1007-11-2024 16:00
241107-tfl1taxpgl 1010-02-2024 17:17
240210-vtnl8sge36 10Analysis
-
max time kernel
2s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ggpermV3/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ggpermV3/Final_Cleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ggpermV3/Final_Cleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ggpermV3/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ggpermV3/Siticone.UI.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
ggpermV3/Siticone.UI.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
ggpermV3/Trinity Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ggpermV3/amifldrv64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ggpermV3/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ggpermV3/ggpermV3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ggpermV3/ggpermV3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ggpermV3/macchanger.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
ggpermV3/macchanger.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral18
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ggpermV3/sxghr-driver.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
ggpermV3/sxghr-driver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ggpermV3/woof.bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
ggpermV3/macchanger.bat
-
Size
2KB
-
MD5
c0b8d81370dd4defc9317dc6c204d581
-
SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23
-
SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f
-
SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2232 WMIC.exe Token: SeSecurityPrivilege 2232 WMIC.exe Token: SeTakeOwnershipPrivilege 2232 WMIC.exe Token: SeLoadDriverPrivilege 2232 WMIC.exe Token: SeSystemProfilePrivilege 2232 WMIC.exe Token: SeSystemtimePrivilege 2232 WMIC.exe Token: SeProfSingleProcessPrivilege 2232 WMIC.exe Token: SeIncBasePriorityPrivilege 2232 WMIC.exe Token: SeCreatePagefilePrivilege 2232 WMIC.exe Token: SeBackupPrivilege 2232 WMIC.exe Token: SeRestorePrivilege 2232 WMIC.exe Token: SeShutdownPrivilege 2232 WMIC.exe Token: SeDebugPrivilege 2232 WMIC.exe Token: SeSystemEnvironmentPrivilege 2232 WMIC.exe Token: SeRemoteShutdownPrivilege 2232 WMIC.exe Token: SeUndockPrivilege 2232 WMIC.exe Token: SeManageVolumePrivilege 2232 WMIC.exe Token: 33 2232 WMIC.exe Token: 34 2232 WMIC.exe Token: 35 2232 WMIC.exe Token: 36 2232 WMIC.exe Token: SeIncreaseQuotaPrivilege 2232 WMIC.exe Token: SeSecurityPrivilege 2232 WMIC.exe Token: SeTakeOwnershipPrivilege 2232 WMIC.exe Token: SeLoadDriverPrivilege 2232 WMIC.exe Token: SeSystemProfilePrivilege 2232 WMIC.exe Token: SeSystemtimePrivilege 2232 WMIC.exe Token: SeProfSingleProcessPrivilege 2232 WMIC.exe Token: SeIncBasePriorityPrivilege 2232 WMIC.exe Token: SeCreatePagefilePrivilege 2232 WMIC.exe Token: SeBackupPrivilege 2232 WMIC.exe Token: SeRestorePrivilege 2232 WMIC.exe Token: SeShutdownPrivilege 2232 WMIC.exe Token: SeDebugPrivilege 2232 WMIC.exe Token: SeSystemEnvironmentPrivilege 2232 WMIC.exe Token: SeRemoteShutdownPrivilege 2232 WMIC.exe Token: SeUndockPrivilege 2232 WMIC.exe Token: SeManageVolumePrivilege 2232 WMIC.exe Token: 33 2232 WMIC.exe Token: 34 2232 WMIC.exe Token: 35 2232 WMIC.exe Token: 36 2232 WMIC.exe Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe Token: SeSecurityPrivilege 4848 WMIC.exe Token: SeTakeOwnershipPrivilege 4848 WMIC.exe Token: SeLoadDriverPrivilege 4848 WMIC.exe Token: SeSystemProfilePrivilege 4848 WMIC.exe Token: SeSystemtimePrivilege 4848 WMIC.exe Token: SeProfSingleProcessPrivilege 4848 WMIC.exe Token: SeIncBasePriorityPrivilege 4848 WMIC.exe Token: SeCreatePagefilePrivilege 4848 WMIC.exe Token: SeBackupPrivilege 4848 WMIC.exe Token: SeRestorePrivilege 4848 WMIC.exe Token: SeShutdownPrivilege 4848 WMIC.exe Token: SeDebugPrivilege 4848 WMIC.exe Token: SeSystemEnvironmentPrivilege 4848 WMIC.exe Token: SeRemoteShutdownPrivilege 4848 WMIC.exe Token: SeUndockPrivilege 4848 WMIC.exe Token: SeManageVolumePrivilege 4848 WMIC.exe Token: 33 4848 WMIC.exe Token: 34 4848 WMIC.exe Token: 35 4848 WMIC.exe Token: 36 4848 WMIC.exe Token: SeIncreaseQuotaPrivilege 4848 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 1692 3576 cmd.exe 84 PID 3576 wrote to memory of 1692 3576 cmd.exe 84 PID 1692 wrote to memory of 2232 1692 cmd.exe 85 PID 1692 wrote to memory of 2232 1692 cmd.exe 85 PID 1692 wrote to memory of 3828 1692 cmd.exe 86 PID 1692 wrote to memory of 3828 1692 cmd.exe 86 PID 3576 wrote to memory of 5064 3576 cmd.exe 89 PID 3576 wrote to memory of 5064 3576 cmd.exe 89 PID 3576 wrote to memory of 3620 3576 cmd.exe 91 PID 3576 wrote to memory of 3620 3576 cmd.exe 91 PID 3576 wrote to memory of 1620 3576 cmd.exe 92 PID 3576 wrote to memory of 1620 3576 cmd.exe 92 PID 3576 wrote to memory of 2712 3576 cmd.exe 94 PID 3576 wrote to memory of 2712 3576 cmd.exe 94 PID 3576 wrote to memory of 212 3576 cmd.exe 95 PID 3576 wrote to memory of 212 3576 cmd.exe 95 PID 212 wrote to memory of 4848 212 cmd.exe 96 PID 212 wrote to memory of 4848 212 cmd.exe 96 PID 212 wrote to memory of 2036 212 cmd.exe 97 PID 212 wrote to memory of 2036 212 cmd.exe 97 PID 3576 wrote to memory of 5088 3576 cmd.exe 98 PID 3576 wrote to memory of 5088 3576 cmd.exe 98 PID 3576 wrote to memory of 4944 3576 cmd.exe 99 PID 3576 wrote to memory of 4944 3576 cmd.exe 99 PID 3576 wrote to memory of 3212 3576 cmd.exe 100 PID 3576 wrote to memory of 3212 3576 cmd.exe 100 PID 3576 wrote to memory of 3040 3576 cmd.exe 101 PID 3576 wrote to memory of 3040 3576 cmd.exe 101 PID 3576 wrote to memory of 1452 3576 cmd.exe 102 PID 3576 wrote to memory of 1452 3576 cmd.exe 102 PID 1452 wrote to memory of 4364 1452 cmd.exe 103 PID 1452 wrote to memory of 4364 1452 cmd.exe 103 PID 3576 wrote to memory of 4120 3576 cmd.exe 104 PID 3576 wrote to memory of 4120 3576 cmd.exe 104 PID 3576 wrote to memory of 1692 3576 cmd.exe 84 PID 3576 wrote to memory of 1692 3576 cmd.exe 84 PID 1692 wrote to memory of 2232 1692 cmd.exe 85 PID 1692 wrote to memory of 2232 1692 cmd.exe 85 PID 1692 wrote to memory of 3828 1692 cmd.exe 86 PID 1692 wrote to memory of 3828 1692 cmd.exe 86 PID 3576 wrote to memory of 5064 3576 cmd.exe 89 PID 3576 wrote to memory of 5064 3576 cmd.exe 89 PID 3576 wrote to memory of 3620 3576 cmd.exe 91 PID 3576 wrote to memory of 3620 3576 cmd.exe 91 PID 3576 wrote to memory of 1620 3576 cmd.exe 92 PID 3576 wrote to memory of 1620 3576 cmd.exe 92 PID 3576 wrote to memory of 2712 3576 cmd.exe 94 PID 3576 wrote to memory of 2712 3576 cmd.exe 94 PID 3576 wrote to memory of 212 3576 cmd.exe 95 PID 3576 wrote to memory of 212 3576 cmd.exe 95 PID 212 wrote to memory of 4848 212 cmd.exe 96 PID 212 wrote to memory of 4848 212 cmd.exe 96 PID 212 wrote to memory of 2036 212 cmd.exe 97 PID 212 wrote to memory of 2036 212 cmd.exe 97 PID 3576 wrote to memory of 5088 3576 cmd.exe 98 PID 3576 wrote to memory of 5088 3576 cmd.exe 98 PID 3576 wrote to memory of 4944 3576 cmd.exe 99 PID 3576 wrote to memory of 4944 3576 cmd.exe 99 PID 3576 wrote to memory of 3212 3576 cmd.exe 100 PID 3576 wrote to memory of 3212 3576 cmd.exe 100 PID 3576 wrote to memory of 3040 3576 cmd.exe 101 PID 3576 wrote to memory of 3040 3576 cmd.exe 101 PID 3576 wrote to memory of 1452 3576 cmd.exe 102 PID 3576 wrote to memory of 1452 3576 cmd.exe 102
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:3828
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:5064
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:3620
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:1620
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 36E7C121491D /f2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2036
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:5088
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:4944
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:3212
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:4364
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4120
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:1828