Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/01/2025, 19:34
Static task
static1
General
-
Target
project ligma and stigma builder.bat
-
Size
2KB
-
MD5
6395d6d88d9f2c4c6c45b22d56d3d6f2
-
SHA1
09a1d50baec6030ddc44e1566c458cc5a85c2adf
-
SHA256
8a4bffce8c62437df3f629c3f460cbf3022bd7e99b62b1ca850b94c220fbe3c7
-
SHA512
f3724f48e8566ec1fa43778e0603facf1d6baa35eb5b1838860704f8820ea14081c8eef1b477217bfcb7bb66bb0fbaf03cb7bd53a50cc9b5d4aab71dafff6568
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 5644 mshta.exe 4 5644 mshta.exe 5 5644 mshta.exe 6 5644 mshta.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 872 wrote to memory of 5520 872 cmd.exe 78 PID 872 wrote to memory of 5520 872 cmd.exe 78 PID 872 wrote to memory of 3212 872 cmd.exe 79 PID 872 wrote to memory of 3212 872 cmd.exe 79 PID 3212 wrote to memory of 5644 3212 cmd.exe 80 PID 3212 wrote to memory of 5644 3212 cmd.exe 80
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\mode.commode con:cols=50 lines=22⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\system32\mshta.exemshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"3⤵
- Blocklisted process makes network request
PID:5644
-
-