Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-12-2024 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Compiled/BStub_Onimai.exe
Resource
win11-20241007-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
Compiled/Stager.exe
Resource
win11-20241007-en
windows11-21h2-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
Compiled/Ton618.exe
Resource
win11-20241007-en
windows11-21h2-x64
0 signatures
150 seconds
General
-
Target
Compiled/Stager.exe
-
Size
149KB
-
MD5
98e08c9ddc69ca2b86028cc3cb1efa64
-
SHA1
56ebf01da2329100e808bc5460e1ff597f512a82
-
SHA256
8c1628ad812210a834d9a0d0dffae32d4057756de72ef4f80b72622786dc4038
-
SHA512
3b97695816cc1b1199284698fef1cb572449b903c28f468740f14296307f2a5d718df0e542fb1eb5f2ec73dbfde737d8cb77bf8f08319c5fef987216c8a14f13
-
SSDEEP
3072:PixjfPZwt68v4VjnYRawLr1SWRtLJbnOgZQBegbsu5q8fu3SsL72jV:PixjfW6WeS3NZxqlbzWSYy
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3516 created 620 3516 Stager.exe 5 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3516 set thread context of 2724 3516 Stager.exe 77 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3516 Stager.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3516 Stager.exe Token: SeDebugPrivilege 3516 Stager.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77 PID 3516 wrote to memory of 2724 3516 Stager.exe 77
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f0a80230-4cc6-4a8c-bb50-3aafefbd9540}2⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\Compiled\Stager.exe"C:\Users\Admin\AppData\Local\Temp\Compiled\Stager.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516