Analysis Overview
SHA256
8a4bffce8c62437df3f629c3f460cbf3022bd7e99b62b1ca850b94c220fbe3c7
Threat Level: Likely malicious
The file project ligma and stigma builder.bat was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 19:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 19:34
Reported
2025-01-19 19:37
Platform
win11-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 872 wrote to memory of 5520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mode.com |
| PID 872 wrote to memory of 5520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mode.com |
| PID 872 wrote to memory of 3212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 872 wrote to memory of 3212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3212 wrote to memory of 5644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mshta.exe |
| PID 3212 wrote to memory of 5644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mshta.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"
C:\Windows\system32\mode.com
mode con:cols=50 lines=2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"
C:\Windows\system32\mshta.exe
mshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |