Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
210s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
PolygonHack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
PolygonHack.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
driver.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
driver.sys
Resource
win11-20241007-en
General
-
Target
PolygonHack.exe
-
Size
608KB
-
MD5
bf0ec485993699b0fb08eb592a8d0733
-
SHA1
1a98c2bcf2e004314875e837901f0eab193f891f
-
SHA256
8786ad7da8135e2361cb1b77f9320b9fb7de843b90a13fb6351b95430c041b46
-
SHA512
e90eba6344888671984b423faefc6617114fd2e40dcd3817a1be6799f3d86f5300ee7ded41f861f6d40ed43570a79e0f662f3786c65e351e87c1f31f4606ddb2
-
SSDEEP
12288:SIaiY60+66oorf0zGdn6rTnFM50QnTsv7WR:SIar60+6ZzGdn6rTn2vTc7WR
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TIaZGwgFrLvICQfqbAl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\TIaZGwgFrLvICQfqbAl" kdmapper.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 kdmapper.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3964 PolygonHack.exe 3964 PolygonHack.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3044 kdmapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 3044 kdmapper.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3964 wrote to memory of 3636 3964 PolygonHack.exe 85 PID 3964 wrote to memory of 3636 3964 PolygonHack.exe 85 PID 3636 wrote to memory of 3044 3636 cmd.exe 86 PID 3636 wrote to memory of 3044 3636 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\kdmapper.exeC:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD54da5a13241127d25bc89259af79d45a9
SHA132b53261f437aed23a6bb5799bfda0da2d5cc138
SHA256ad1c5a790ad8d050aa293a25edcf6587da716ac13af096b6f3b7326f4d1ffe36
SHA512a4dd3cc057a47d6c9a1f94178a42b78780e42f4e41be7e681e8983a129e02c139b13db65d2bb7c03a20bc58014eab4cca2ac5904233ca57881ecc657d9d550cd