You are a malware analyst on a threat-intel team. CTI passes you a 412 KB Windows PE32 sample flagged as a suspected loader. Your job is static-only: no detonation, no sandbox, no calling out to network. The sample comes with strings, sections, imports, and a hex preview already extracted.
Two hours of analysis time. Output: technique mapping, deobfuscated stage-2 retrieval URL pattern, the persistence registry path, and a YARA rule suitable for an EDR feed.
This scenario tests whether you can read PE structure, recognize obfuscation primitives, and map analyst findings to MITRE ATT&CK in a way that detection engineering can act on.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.