c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09-11-2024 22:49

241109-2r2veatfrl 10

09-11-2024 22:47

09-11-2024 22:46

09-11-2024 22:44

07-11-2024 16:00

10-02-2024 17:17

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe
3512	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2024	ipconfig.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3808	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: LoadsDriver 25 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeSystemtimePrivilege	1108	svchost.exe
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeShutdownPrivilege	1108	svchost.exe
Token: SeSystemEnvironmentPrivilege	1108	svchost.exe
Token: SeUndockPrivilege	1108	svchost.exe
Token: SeManageVolumePrivilege	1108	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeSystemtimePrivilege	1108	svchost.exe
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeShutdownPrivilege	1108	svchost.exe
Token: SeSystemEnvironmentPrivilege	1108	svchost.exe
Token: SeUndockPrivilege	1108	svchost.exe
Token: SeManageVolumePrivilege	1108	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeSystemtimePrivilege	1108	svchost.exe
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeShutdownPrivilege	1108	svchost.exe
Token: SeSystemEnvironmentPrivilege	1108	svchost.exe
Token: SeUndockPrivilege	1108	svchost.exe
Token: SeManageVolumePrivilege	1108	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeShutdownPrivilege	1108	svchost.exe
Token: SeSystemEnvironmentPrivilege	1108	svchost.exe
Token: SeManageVolumePrivilege	1108	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeSystemtimePrivilege	1108	svchost.exe
Token: SeBackupPrivilege	1108	svchost.exe
Token: SeRestorePrivilege	1108	svchost.exe
Token: SeShutdownPrivilege	1108	svchost.exe
Token: SeSystemEnvironmentPrivilege	1108	svchost.exe
Token: SeUndockPrivilege	1108	svchost.exe
Token: SeManageVolumePrivilege	1108	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1108	svchost.exe
Token: SeIncreaseQuotaPrivilege	1108	svchost.exe
Token: SeSecurityPrivilege	1108	svchost.exe
Token: SeTakeOwnershipPrivilege	1108	svchost.exe
Token: SeLoadDriverPrivilege	1108	svchost.exe
Token: SeSystemtimePrivilege	1108	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1564	4544	cmd.exe	84
PID 4544 wrote to memory of 1564	4544	cmd.exe	84
PID 4544 wrote to memory of 816	4544	cmd.exe	85
PID 4544 wrote to memory of 816	4544	cmd.exe	85
PID 4544 wrote to memory of 4192	4544	cmd.exe	86
PID 4544 wrote to memory of 4192	4544	cmd.exe	86
PID 4544 wrote to memory of 1168	4544	cmd.exe	87
PID 4544 wrote to memory of 1168	4544	cmd.exe	87
PID 4544 wrote to memory of 876	4544	cmd.exe	88
PID 4544 wrote to memory of 876	4544	cmd.exe	88
PID 4544 wrote to memory of 1496	4544	cmd.exe	89
PID 4544 wrote to memory of 1496	4544	cmd.exe	89
PID 4544 wrote to memory of 4376	4544	cmd.exe	90
PID 4544 wrote to memory of 4376	4544	cmd.exe	90
PID 4544 wrote to memory of 3616	4544	cmd.exe	91
PID 4544 wrote to memory of 3616	4544	cmd.exe	91
PID 4544 wrote to memory of 1316	4544	cmd.exe	92
PID 4544 wrote to memory of 1316	4544	cmd.exe	92
PID 4544 wrote to memory of 2864	4544	cmd.exe	93
PID 4544 wrote to memory of 2864	4544	cmd.exe	93
PID 4544 wrote to memory of 320	4544	cmd.exe	94
PID 4544 wrote to memory of 320	4544	cmd.exe	94
PID 4544 wrote to memory of 3152	4544	cmd.exe	95
PID 4544 wrote to memory of 3152	4544	cmd.exe	95
PID 4544 wrote to memory of 4072	4544	cmd.exe	96
PID 4544 wrote to memory of 4072	4544	cmd.exe	96
PID 4544 wrote to memory of 624	4544	cmd.exe	97
PID 4544 wrote to memory of 624	4544	cmd.exe	97
PID 4544 wrote to memory of 4736	4544	cmd.exe	98
PID 4544 wrote to memory of 4736	4544	cmd.exe	98
PID 4544 wrote to memory of 312	4544	cmd.exe	99
PID 4544 wrote to memory of 312	4544	cmd.exe	99
PID 4544 wrote to memory of 1728	4544	cmd.exe	100
PID 4544 wrote to memory of 1728	4544	cmd.exe	100
PID 4544 wrote to memory of 224	4544	cmd.exe	102
PID 4544 wrote to memory of 224	4544	cmd.exe	102
PID 4544 wrote to memory of 696	4544	cmd.exe	103
PID 4544 wrote to memory of 696	4544	cmd.exe	103
PID 4544 wrote to memory of 5068	4544	cmd.exe	104
PID 4544 wrote to memory of 5068	4544	cmd.exe	104
PID 4544 wrote to memory of 2968	4544	cmd.exe	105
PID 4544 wrote to memory of 2968	4544	cmd.exe	105
PID 4544 wrote to memory of 1300	4544	cmd.exe	106
PID 4544 wrote to memory of 1300	4544	cmd.exe	106
PID 4544 wrote to memory of 408	4544	cmd.exe	107
PID 4544 wrote to memory of 408	4544	cmd.exe	107
PID 4544 wrote to memory of 1324	4544	cmd.exe	109
PID 4544 wrote to memory of 1324	4544	cmd.exe	109
PID 4544 wrote to memory of 2572	4544	cmd.exe	110
PID 4544 wrote to memory of 2572	4544	cmd.exe	110
PID 4544 wrote to memory of 208	4544	cmd.exe	111
PID 4544 wrote to memory of 208	4544	cmd.exe	111
PID 4544 wrote to memory of 2412	4544	cmd.exe	112
PID 4544 wrote to memory of 2412	4544	cmd.exe	112
PID 2412 wrote to memory of 2460	2412	net.exe	113
PID 2412 wrote to memory of 2460	2412	net.exe	113
PID 4544 wrote to memory of 1040	4544	cmd.exe	121
PID 4544 wrote to memory of 1040	4544	cmd.exe	121
PID 1040 wrote to memory of 4404	1040	net.exe	122
PID 1040 wrote to memory of 4404	1040	net.exe	122
PID 4544 wrote to memory of 4904	4544	cmd.exe	123
PID 4544 wrote to memory of 4904	4544	cmd.exe	123
PID 4544 wrote to memory of 3512	4544	cmd.exe	124
PID 4544 wrote to memory of 3512	4544	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 14144185722550227448
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 145725495545925084
  2⤵
  PID:816
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 1259956512286015848
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 14891267012088425965
  2⤵
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 31428185063034710489
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 538522012567921799
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 16252227712268113619
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 350830326281066576
  2⤵
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 1133735391860014205
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 510412019288429429
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 3069524369214227494
  2⤵
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 2958883003229923236
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 1520928251282467583
  2⤵
  PID:624
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 2177097611414830547
  2⤵
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 683431062114826239
  2⤵
  PID:312
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 353925620238157608
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 15612203131925229822
  2⤵
  PID:224
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 16640259962870425710
  2⤵
  PID:696
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 5461151941448426298
  2⤵
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 20410193471636717879
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 3151630336874114197
  2⤵
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 658729361204021172
  2⤵
  PID:408
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 474542702528613973
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 3538156931835529870
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 13142298395455155
  2⤵
  PID:208
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2460
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:4404
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:4904
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:3512
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
PID:1932

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\wbem\repository\MAPPING3.MAP

Filesize
207KB

MD5
497676942d2207d6a0b8b803dec6b842

SHA1
36b4d906e14a6442b9e425419b80f9bff244633a

SHA256
231e8c01f0a683cb5f3c14f54cada39ae8944cd6c82c0f58e2680f423cd981a7

SHA512
7f8c058564586608acc477d218d27968af340eaf0bc97db183b7f05935787d0810553aae711f175e7c65d3210dfb7a1a86e71fffc5b918541c0d828da5a7ea56

Download Submit