153ea1be641c0baad4fc0bbe4d330099f9de49f76b14c4f3d0be2a1cba463807

Resubmissions

14/10/2024, 16:21

241014-ttqwxstgke 8

14/10/2024, 16:20

241014-ts814sxhrp 8

Analysis

max time kernel
91s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14/10/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PolygonHack.exe
Size

608KB
MD5

bf0ec485993699b0fb08eb592a8d0733
SHA1

1a98c2bcf2e004314875e837901f0eab193f891f
SHA256

8786ad7da8135e2361cb1b77f9320b9fb7de843b90a13fb6351b95430c041b46
SHA512

e90eba6344888671984b423faefc6617114fd2e40dcd3817a1be6799f3d86f5300ee7ded41f861f6d40ed43570a79e0f662f3786c65e351e87c1f31f4606ddb2
SSDEEP

12288:SIaiY60+66oorf0zGdn6rTnFM50QnTsv7WR:SIar60+6ZzGdn6rTn2vTc7WR

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tevRCCqMZCtZoLwOPU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tevRCCqMZCtZoLwOPU"	kdmapper.exe

Executes dropped EXE 1 IoCs

pid	Process
4228	kdmapper.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	PolygonHack.exe
2000	PolygonHack.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4228	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4228	kdmapper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4936	2000	PolygonHack.exe	78
PID 2000 wrote to memory of 4936	2000	PolygonHack.exe	78
PID 4936 wrote to memory of 4228	4936	cmd.exe	79
PID 4936 wrote to memory of 4228	4936	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe
"C:\Users\Admin\AppData\Local\Temp\PolygonHack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\kdmapper.exe
    C:\Users\Admin\AppData\Local\Temp\kdmapper.exe driver.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe

Filesize
133KB

MD5
4da5a13241127d25bc89259af79d45a9

SHA1
32b53261f437aed23a6bb5799bfda0da2d5cc138

SHA256
ad1c5a790ad8d050aa293a25edcf6587da716ac13af096b6f3b7326f4d1ffe36

SHA512
a4dd3cc057a47d6c9a1f94178a42b78780e42f4e41be7e681e8983a129e02c139b13db65d2bb7c03a20bc58014eab4cca2ac5904233ca57881ecc657d9d550cd

Download Submit