Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
302s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/10/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
PolygonHack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
PolygonHack.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
driver.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
driver.sys
Resource
win11-20241007-en
General
-
Target
PolygonHack.exe
-
Size
608KB
-
MD5
bf0ec485993699b0fb08eb592a8d0733
-
SHA1
1a98c2bcf2e004314875e837901f0eab193f891f
-
SHA256
8786ad7da8135e2361cb1b77f9320b9fb7de843b90a13fb6351b95430c041b46
-
SHA512
e90eba6344888671984b423faefc6617114fd2e40dcd3817a1be6799f3d86f5300ee7ded41f861f6d40ed43570a79e0f662f3786c65e351e87c1f31f4606ddb2
-
SSDEEP
12288:SIaiY60+66oorf0zGdn6rTnFM50QnTsv7WR:SIar60+6ZzGdn6rTn2vTc7WR
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tevRCCqMZCtZoLwOPU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tevRCCqMZCtZoLwOPU" kdmapper.exe -
Executes dropped EXE 1 IoCs
pid Process 4228 kdmapper.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2000 PolygonHack.exe 2000 PolygonHack.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4228 kdmapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 4228 kdmapper.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4936 2000 PolygonHack.exe 78 PID 2000 wrote to memory of 4936 2000 PolygonHack.exe 78 PID 4936 wrote to memory of 4228 4936 cmd.exe 79 PID 4936 wrote to memory of 4228 4936 cmd.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\kdmapper.exeC:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD54da5a13241127d25bc89259af79d45a9
SHA132b53261f437aed23a6bb5799bfda0da2d5cc138
SHA256ad1c5a790ad8d050aa293a25edcf6587da716ac13af096b6f3b7326f4d1ffe36
SHA512a4dd3cc057a47d6c9a1f94178a42b78780e42f4e41be7e681e8983a129e02c139b13db65d2bb7c03a20bc58014eab4cca2ac5904233ca57881ecc657d9d550cd