c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
36s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2096	sc.exe
1036	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2168	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2572	2336	cmd.exe	30
PID 2336 wrote to memory of 2572	2336	cmd.exe	30
PID 2336 wrote to memory of 2572	2336	cmd.exe	30
PID 2336 wrote to memory of 2828	2336	cmd.exe	31
PID 2336 wrote to memory of 2828	2336	cmd.exe	31
PID 2336 wrote to memory of 2828	2336	cmd.exe	31
PID 2336 wrote to memory of 2320	2336	cmd.exe	32
PID 2336 wrote to memory of 2320	2336	cmd.exe	32
PID 2336 wrote to memory of 2320	2336	cmd.exe	32
PID 2336 wrote to memory of 572	2336	cmd.exe	33
PID 2336 wrote to memory of 572	2336	cmd.exe	33
PID 2336 wrote to memory of 572	2336	cmd.exe	33
PID 2336 wrote to memory of 3032	2336	cmd.exe	34
PID 2336 wrote to memory of 3032	2336	cmd.exe	34
PID 2336 wrote to memory of 3032	2336	cmd.exe	34
PID 2336 wrote to memory of 1624	2336	cmd.exe	35
PID 2336 wrote to memory of 1624	2336	cmd.exe	35
PID 2336 wrote to memory of 1624	2336	cmd.exe	35
PID 2336 wrote to memory of 2636	2336	cmd.exe	36
PID 2336 wrote to memory of 2636	2336	cmd.exe	36
PID 2336 wrote to memory of 2636	2336	cmd.exe	36
PID 2336 wrote to memory of 2204	2336	cmd.exe	37
PID 2336 wrote to memory of 2204	2336	cmd.exe	37
PID 2336 wrote to memory of 2204	2336	cmd.exe	37
PID 2336 wrote to memory of 2888	2336	cmd.exe	38
PID 2336 wrote to memory of 2888	2336	cmd.exe	38
PID 2336 wrote to memory of 2888	2336	cmd.exe	38
PID 2336 wrote to memory of 2936	2336	cmd.exe	39
PID 2336 wrote to memory of 2936	2336	cmd.exe	39
PID 2336 wrote to memory of 2936	2336	cmd.exe	39
PID 2336 wrote to memory of 2948	2336	cmd.exe	40
PID 2336 wrote to memory of 2948	2336	cmd.exe	40
PID 2336 wrote to memory of 2948	2336	cmd.exe	40
PID 2336 wrote to memory of 3008	2336	cmd.exe	41
PID 2336 wrote to memory of 3008	2336	cmd.exe	41
PID 2336 wrote to memory of 3008	2336	cmd.exe	41
PID 2336 wrote to memory of 2940	2336	cmd.exe	42
PID 2336 wrote to memory of 2940	2336	cmd.exe	42
PID 2336 wrote to memory of 2940	2336	cmd.exe	42
PID 2336 wrote to memory of 2884	2336	cmd.exe	43
PID 2336 wrote to memory of 2884	2336	cmd.exe	43
PID 2336 wrote to memory of 2884	2336	cmd.exe	43
PID 2336 wrote to memory of 2852	2336	cmd.exe	44
PID 2336 wrote to memory of 2852	2336	cmd.exe	44
PID 2336 wrote to memory of 2852	2336	cmd.exe	44
PID 2336 wrote to memory of 2968	2336	cmd.exe	45
PID 2336 wrote to memory of 2968	2336	cmd.exe	45
PID 2336 wrote to memory of 2968	2336	cmd.exe	45
PID 2336 wrote to memory of 2876	2336	cmd.exe	46
PID 2336 wrote to memory of 2876	2336	cmd.exe	46
PID 2336 wrote to memory of 2876	2336	cmd.exe	46
PID 2336 wrote to memory of 1528	2336	cmd.exe	47
PID 2336 wrote to memory of 1528	2336	cmd.exe	47
PID 2336 wrote to memory of 1528	2336	cmd.exe	47
PID 2336 wrote to memory of 2960	2336	cmd.exe	48
PID 2336 wrote to memory of 2960	2336	cmd.exe	48
PID 2336 wrote to memory of 2960	2336	cmd.exe	48
PID 2336 wrote to memory of 2904	2336	cmd.exe	49
PID 2336 wrote to memory of 2904	2336	cmd.exe	49
PID 2336 wrote to memory of 2904	2336	cmd.exe	49
PID 2336 wrote to memory of 2776	2336	cmd.exe	50
PID 2336 wrote to memory of 2776	2336	cmd.exe	50
PID 2336 wrote to memory of 2776	2336	cmd.exe	50
PID 2336 wrote to memory of 2768	2336	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 147199748238682751
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 276978471289621404
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 228749352959723600
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 11942225022731330045
  2⤵
  PID:572
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 34173132487422063
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 15666269132684811184
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 304713037466629755
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 25566136183198523859
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 559981172613410484
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 6468278482235912554
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 15805226352342222690
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 38592440523610829
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 166522884336225516
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 475222929203914136
  2⤵
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 27657286793229716673
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 15632510991176730
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 2387760181399810546
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 29822126091880222054
  2⤵
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 11813291891235020405
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 15323197031470029541
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 2748926085469911940
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 2143366213218427649
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 23944302031612424732
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 1094342232437419931
  2⤵
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 857030754120432911
  2⤵
  PID:2856
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:1092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2744
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  PID:2012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:1976
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:2096
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:1036
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2168