41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f

General

Target

41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe
Size

307KB
MD5

35a7c263b31cb4e4715a042ba7ca61a8
SHA1

7b808b5ee7c5c7f8f29654bcc1356f5e12b89233
SHA256

41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f
SHA512

2849f6040c867c72cd5f57958d016321490860781913b78cd22b4f2e9b63fa6f1e5f61e7f51656d4af5bf09c8b7ebfd3f6cd8d75a123129e74ae585d62eab57d
SSDEEP

6144:nRArZFpZj0+QTyBzPJVLo4JmqGM39IHtp8ZH1kWeJ85zQ9s+xMb:y5TQmrlDHOsk/UzAs+xMb

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pika.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	pika.exe

Executes dropped EXE 1 IoCs

pid	Process
1092	pika.exe

Loads dropped DLL 5 IoCs

pid	Process
1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe
1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe
1092	pika.exe
1092	pika.exe
1092	pika.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Windows"	pika.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1092	pika.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
676	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1092	pika.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29
PID 1252 wrote to memory of 1092	1252	41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe	29

C:\Users\Admin\AppData\Local\Temp\41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe
"C:\Users\Admin\AppData\Local\Temp\41fdfd031adb76d34e521b45c8d11c66f108377dc74541506a1affb7e3e9293f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\pika.exe
  "C:\Users\Admin\AppData\Local\Temp\pika.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1092

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
C:\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
C:\Users\Admin\AppData\Local\Temp\saki001.jpg

Filesize
244KB

MD5
3fb280edd48f2e9ddfd93f5bf3ca5830

SHA1
10736ea6aaeede2604663e29e0f19ca4d29d315e

SHA256
bb77312b3989478d9cfe571d576d4bb5af033cc1ced928f4e95ccdd49f2829dc

SHA512
4171abdae552a708b59fbc41118548cf27929a9c4884f8ab58c50cc0e5ca7c392d5f7a814debf9fef2c5a297b4095b000c93c09c96eb6122d53df66283282e2d

Download Submit
\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
\Users\Admin\AppData\Local\Temp\pika.exe

Filesize
64KB

MD5
99b9c3af1ec473e750a3b15a1d5d40d6

SHA1
6c0d7ef5cbfc5433948256042ff90b822d162ad0

SHA256
4311ffef5a59289c806602cac22d0f97eab22213a1eaa2d1bd36ab273655933f

SHA512
097a18b3eaddd2812a01f9cf448a25f96d2b1f2027aeadda92d5c42a4113a9de5127124513737532c02a2cc6d9ca9d33d5e9d32bfcc2e73fbb1285ed014c0951

Download Submit
memory/1092-66-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-68-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing