Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ggpermV3.rar

windows7-x64

1

ggpermV3.rar

windows10-2004-x64

1

ggpermV3/A...64.exe

windows7-x64

1

ggpermV3/A...64.exe

windows10-2004-x64

1

ggpermV3/F...er.bat

windows7-x64

1

ggpermV3/F...er.bat

windows10-2004-x64

1

ggpermV3/N...on.dll

windows7-x64

1

ggpermV3/N...on.dll

windows10-2004-x64

1

ggpermV3/S...UI.dll

windows7-x64

1

ggpermV3/S...UI.dll

windows10-2004-x64

1

ggpermV3/T...er.exe

windows7-x64

ggpermV3/T...er.exe

windows10-2004-x64

8

ggpermV3/a...64.sys

windows7-x64

1

ggpermV3/a...64.sys

windows10-2004-x64

1

ggpermV3/ggpermV3.exe

windows7-x64

3

ggpermV3/ggpermV3.exe

windows10-2004-x64

3

ggpermV3/m...er.bat

windows7-x64

3

ggpermV3/m...er.bat

windows10-2004-x64

3

ggpermV3/s...er.exe

windows7-x64

1

ggpermV3/s...er.exe

windows10-2004-x64

1

ggpermV3/s...er.exe

windows7-x64

1

ggpermV3/s...er.exe

windows10-2004-x64

1

ggpermV3/s...er.pdb

windows7-x64

3

ggpermV3/s...er.pdb

windows10-2004-x64

3

ggpermV3/s...g.json

windows7-x64

3

ggpermV3/s...g.json

windows10-2004-x64

3

ggpermV3/woof.bat

windows7-x64

8

ggpermV3/woof.bat

windows10-2004-x64

8

Resubmissions

09/11/2024, 22:49 UTC

241109-2r2veatfrl 10

09/11/2024, 22:47 UTC

241109-2qkjqssrdz 10

09/11/2024, 22:46 UTC

241109-2p2fvstfqj 10

09/11/2024, 22:44 UTC

241109-2nsgkasrbt 10

07/11/2024, 16:00 UTC

241107-tfl1taxpgl 10

10/02/2024, 17:17 UTC

240210-vtnl8sge36 10

Analysis

  • max time kernel
    36s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ggpermV3/woof.bat

  • Size

    1KB

  • MD5

    9dfe4e730dcc5e0d3951038ad2a095a1

  • SHA1

    e033d9a40234b9544606ec4d603add264cb38841

  • SHA256

    bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8

  • SHA512

    297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: LoadsDriver 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
      AMIDEWINx64.EXE /SS 147199748238682751
      2⤵
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
        AMIDEWINx64.EXE /SS 276978471289621404
        2⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
          AMIDEWINx64.EXE /BS 228749352959723600
          2⤵
            PID:2320
          • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
            AMIDEWINx64.EXE /SV 11942225022731330045
            2⤵
              PID:572
            • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
              AMIDEWINx64.EXE /BV 34173132487422063
              2⤵
                PID:3032
              • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                AMIDEWINx64.EXE /CS 15666269132684811184
                2⤵
                  PID:1624
                • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                  AMIDEWINx64.EXE /PSN 304713037466629755
                  2⤵
                    PID:2636
                  • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                    AMIDEWINx64.EXE /SU AUTO
                    2⤵
                      PID:2204
                    • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                      AMIDEWINx64.EXE /PAT 25566136183198523859
                      2⤵
                        PID:2888
                      • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                        AMIDEWINx64.EXE /PPN 559981172613410484
                        2⤵
                          PID:2936
                        • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                          AMIDEWINx64.EXE /IV 6468278482235912554
                          2⤵
                            PID:2948
                          • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                            AMIDEWINx64.EXE /SM 15805226352342222690
                            2⤵
                              PID:3008
                            • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                              AMIDEWINx64.EXE /SP 38592440523610829
                              2⤵
                                PID:2940
                              • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                AMIDEWINx64.EXE /BS 166522884336225516
                                2⤵
                                  PID:2884
                                • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                  AMIDEWINx64.EXE /SF 475222929203914136
                                  2⤵
                                    PID:2852
                                  • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                    AMIDEWINx64.EXE /BM 27657286793229716673
                                    2⤵
                                      PID:2968
                                    • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                      AMIDEWINx64.EXE /BP 15632510991176730
                                      2⤵
                                        PID:2876
                                      • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                        AMIDEWINx64.EXE /BT 2387760181399810546
                                        2⤵
                                          PID:1528
                                        • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                          AMIDEWINx64.EXE /BLC 29822126091880222054
                                          2⤵
                                            PID:2960
                                          • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                            AMIDEWINx64.EXE /CM 11813291891235020405
                                            2⤵
                                              PID:2904
                                            • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                              AMIDEWINx64.EXE /CT 15323197031470029541
                                              2⤵
                                                PID:2776
                                              • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                                AMIDEWINx64.EXE /CV 2748926085469911940
                                                2⤵
                                                  PID:2768
                                                • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                                  AMIDEWINx64.EXE /CA 2143366213218427649
                                                  2⤵
                                                    PID:2580
                                                  • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                                    AMIDEWINx64.EXE /CO 23944302031612424732
                                                    2⤵
                                                      PID:2764
                                                    • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                                      AMIDEWINx64.EXE /CSK 1094342232437419931
                                                      2⤵
                                                        PID:2880
                                                      • C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
                                                        AMIDEWINx64.EXE /SK 857030754120432911
                                                        2⤵
                                                          PID:2856
                                                        • C:\Windows\system32\net.exe
                                                          net stop winmgmt /y
                                                          2⤵
                                                            PID:1092
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 stop winmgmt /y
                                                              3⤵
                                                                PID:2744
                                                            • C:\Windows\system32\net.exe
                                                              net start winmgmt /y
                                                              2⤵
                                                                PID:2012
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 start winmgmt /y
                                                                  3⤵
                                                                    PID:1976
                                                                • C:\Windows\system32\sc.exe
                                                                  sc stop winmgmt
                                                                  2⤵
                                                                  • Launches sc.exe
                                                                  PID:2096
                                                                • C:\Windows\system32\sc.exe
                                                                  sc start winmgmt
                                                                  2⤵
                                                                  • Launches sc.exe
                                                                  PID:1036
                                                                • C:\Windows\system32\ipconfig.exe
                                                                  ipconfig /flushdns
                                                                  2⤵
                                                                  • Gathers network information
                                                                  PID:2168

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              We care about your privacy.

                                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.