Analysis
-
max time kernel
1859s -
max time network
1877s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
21-07-2024 15:57
General
-
Target
PolygonHack.exe
-
Size
609KB
-
MD5
52c2c76aa62ff77b0859f49ab3098fa3
-
SHA1
eee46837171761ff6c606e9d9d9b3af31f0232c1
-
SHA256
428f189bfd902ac326313cbed6aaa9a9686393e62a1f8e0b2b0fae0fdb99c907
-
SHA512
916fb1606a588ba376b61059b8f8e74a515faf829fd4f836c4c1c3e69c1718a5259f34cb358b7a86d099d50e0138cca5e34dbaa740548d390585fd8e88e135f7
-
SSDEEP
12288:jXNkMT0lw9fZhpudjjiCvTnYv9L/Z9w0QnTsv7WR:jXNdT0lwrudjjiCvTnq9LR9MTc7WR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kdmapper.exeC:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SuspendTest.ps1xml1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98e0d3cb8,0x7ff98e0d3cc8,0x7ff98e0d3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,11957359350549462010,7177145471082889559,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3268 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5caaeb604a99d78c4a41140a3082ca660
SHA16d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97
SHA25675e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6
SHA5121091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66
-
Filesize
152B
MD51fe10b6cb6b345a095320391bda78b22
SHA146c36ab1994b86094f34a0fbae3a3921d6690862
SHA25685a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239
SHA5129f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
5KB
MD5f2fe9771a4e52eca8d6a9d4debbaaf86
SHA15af39e9bb09eb421f4db51f9bdccc58aea752644
SHA2563472db01191a4c0e9b480665243107d4147edda8bc1a86617dc22ac36dc62bfe
SHA512390f62195bea64805efa217e3b185a5479273148ba60c422dc83073937cd27524f07afd9098030e4d04c64bc07a7aa4c741b07234f9a3b3ec563e616beb33177
-
Filesize
6KB
MD5638835c06404e51d7bf0579064c503b3
SHA1ec1ef27cc8ab09a8eca52e1b1f51d83766623fe8
SHA256ecb9d0182464ad47c02677a179560c6b26ab803bdb6936c0644eb3d225d2db9f
SHA512162e4c761ee2bcde8646e2b43b2d82f67d2f719f4e7674f1672b58762a878e46595cc1b4dfca20a404b3466afa15d0adf116c4bbd345241b5fbf2ca5bebef4bd
-
Filesize
5KB
MD57049ae8780971e379dbc724d6034ebb7
SHA1756f118ea7dce152185d4935d9589bb6602cb254
SHA25604a25f275c01ecb0d3df02876d2415a6acb60c757534c6f6590506c677a25c69
SHA512e56864ff782fc33b272af444c5083709ed1cfe41b5304593cc2f755403f831cb899369db74e38621a81c7ba529b8f45558949f6867b5e19f530d0f8047d5b712
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD50a6dbb72c19100ad365906126e756373
SHA1cda6a29b195a16ec15b08617f8f488b36065234b
SHA256e52a0e6ac53e39dc67c0eeeb682df355700e329648b8b1466b0a9029e1450354
SHA51274ff24944dd83b57dd5ab01665513b7de290399b4d2fd8aad5653bd42da3d643d1c87d183e11c04498dbc41911f360d9d123f67f7a5647ffac39da6927608d63
-
Filesize
11KB
MD50b3aad183f55fa76385f3886b51c3f39
SHA1929bef0a0ff3f4ee10875c049d8d8047c016f089
SHA256cf7fe038d5ca6ca66297ee0124583b95cd0776f749f3a287dbfc3f1356deb7ba
SHA512b6c5716b120ca6582fb0592da80b6bbe9e801be3054420c82e1cbe4136bb6f5b905555024d853b08a52821fd3d08ea2a97d7539c6d2558b3f4e840369322f11e
-
Filesize
133KB
MD54da5a13241127d25bc89259af79d45a9
SHA132b53261f437aed23a6bb5799bfda0da2d5cc138
SHA256ad1c5a790ad8d050aa293a25edcf6587da716ac13af096b6f3b7326f4d1ffe36
SHA512a4dd3cc057a47d6c9a1f94178a42b78780e42f4e41be7e681e8983a129e02c139b13db65d2bb7c03a20bc58014eab4cca2ac5904233ca57881ecc657d9d550cd