Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-12-2024 17:00

General

  • Target

    Compiled/Stager.exe

  • Size

    149KB

  • MD5

    98e08c9ddc69ca2b86028cc3cb1efa64

  • SHA1

    56ebf01da2329100e808bc5460e1ff597f512a82

  • SHA256

    8c1628ad812210a834d9a0d0dffae32d4057756de72ef4f80b72622786dc4038

  • SHA512

    3b97695816cc1b1199284698fef1cb572449b903c28f468740f14296307f2a5d718df0e542fb1eb5f2ec73dbfde737d8cb77bf8f08319c5fef987216c8a14f13

  • SSDEEP

    3072:PixjfPZwt68v4VjnYRawLr1SWRtLJbnOgZQBegbsu5q8fu3SsL72jV:PixjfW6WeS3NZxqlbzWSYy

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{f0a80230-4cc6-4a8c-bb50-3aafefbd9540}
        2⤵
          PID:2724
      • C:\Users\Admin\AppData\Local\Temp\Compiled\Stager.exe
        "C:\Users\Admin\AppData\Local\Temp\Compiled\Stager.exe"
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3516

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2724-8-0x0000000140000000-0x0000000140008000-memory.dmp

        Filesize

        32KB

      • memory/2724-5-0x0000000140000000-0x0000000140008000-memory.dmp

        Filesize

        32KB

      • memory/2724-11-0x0000000140000000-0x0000000140008000-memory.dmp

        Filesize

        32KB

      • memory/2724-6-0x0000000140000000-0x0000000140008000-memory.dmp

        Filesize

        32KB

      • memory/2724-4-0x0000000140000000-0x0000000140008000-memory.dmp

        Filesize

        32KB

      • memory/3516-2-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

        Filesize

        2.0MB

      • memory/3516-0-0x00007FFB449A5000-0x00007FFB449A6000-memory.dmp

        Filesize

        4KB

      • memory/3516-12-0x00007FFB63EC1000-0x00007FFB63F3E000-memory.dmp

        Filesize

        500KB

      • memory/3516-14-0x00007FFB654C1000-0x00007FFB655EA000-memory.dmp

        Filesize

        1.2MB

      • memory/3516-13-0x00007FFB446F0000-0x00007FFB45091000-memory.dmp

        Filesize

        9.6MB

      • memory/3516-3-0x00007FFB63EC0000-0x00007FFB63F7D000-memory.dmp

        Filesize

        756KB

      • memory/3516-1-0x00007FFB446F0000-0x00007FFB45091000-memory.dmp

        Filesize

        9.6MB

      • memory/3516-15-0x00007FFB446F0000-0x00007FFB45091000-memory.dmp

        Filesize

        9.6MB