An academic report on a real multi-stage Windows malware sample analyzed in an isolated virtual lab. The report examines staged execution, anti-analysis techniques, process replacement, injected RegSvcs.exe payloads, C2 communication, host data collection, and observed data exfiltration.
Note: This repository contains only the final academic report. It does not include malware binaries, carved payloads, packet captures, credentials, exploit code, or executable artifacts. The malware sample was analyzed in a controlled virtual lab for defensive learning and documentation.
This project investigates a real Windows malware sample that uses staged execution and process replacement to conceal its behavior. The report documents how the initial mur.exe process launches additional stages, how two injected RegSvcs.exe processes are created, and how the malware performs command-and-control communication and host-data collection.
The analysis covers:
- Multi-stage process behavior involving
mur.exeand injectedRegSvcs.exeprocesses - Anti-debugging and anti-analysis behavior, including debugger checks and evasion indicators
- Persistence mechanisms, registry modifications, and suspicious Windows API usage
- Process replacement using suspended process creation, remote memory allocation, payload injection, thread-context modification, and execution redirection
- Memory carving of injected PE payloads for follow-up analysis
- Command-and-control traffic, host profiling, and observed data exfiltration behavior
- Comparison between the two injected
RegSvcs.exepayloads
For this project, I performed static and dynamic malware analysis in an isolated lab environment. My work included observing the malware process tree, debugging staged execution, tracing Windows API calls, carving injected payloads from memory, and validating command-and-control behavior through debugger and network-analysis tools.
- The malware uses staged execution, beginning with
mur.exeand progressing into additional processes and injected payloads. - Anti-analysis behavior appears throughout the execution chain, including debugger checks and environment-aware behavior.
- Process replacement is used to launch hollowed
RegSvcs.exeprocesses, inject malicious payloads, and redirect execution. - The first injected payload behaves like an information stealer, collecting host data and communicating with command-and-control infrastructure.
- The second injected payload appears to focus more on persistence and cleanup behavior.
- Memory carving helped recover injected PE payloads for additional static and behavioral analysis.
The full report includes screenshots, debugger observations, process-monitoring results, network-analysis evidence, carved-payload analysis, and explanations of the malware's execution flow.
| Category | Tools / Concepts |
|---|---|
| Debugging | OllyDbg |
| Static Analysis | Ghidra, IDA, CFF Explorer, PEiD, Dependency Walker, Sysinternals Strings |
| Dynamic Analysis | Process Explorer, Process Monitor, Regshot |
| Network Analysis | Wireshark, ApateDNS, Netcat |
| Windows APIs | CreateProcessW, VirtualAllocEx, WriteProcessMemory, GetThreadContext, SetThreadContext, ResumeThread, send, recv |
| Malware Techniques | Anti-debugging, process replacement, payload injection, persistence, C2 communication, data exfiltration |
The goal of this project was to analyze a real Windows malware sample in a safe, isolated lab environment and document its behavior across multiple execution stages.
The assignment emphasized process-tree reconstruction, staged malware behavior, anti-analysis techniques, command-and-control behavior, information collection, data exfiltration, and differences between multiple injected payloads.
This repository is intended for cybersecurity education, malware analysis practice, and defensive research documentation. It does not provide malware samples, working payloads, exploit code, packet captures, or instructions for unauthorized activity.