Overview

overview

10

Static

static

10

pikabot_core.dll

windows7-x64

9

pikabot_core.dll

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2023 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pikabot_core.dll

  • Size

    38KB

  • MD5

    9cd94c8ac5c05061bcd4edb8c1e7f8f4

  • SHA1

    d722c153c9ea0b627b09346f1e9e6deec4c3cbe0

  • SHA256

    11cbb0233aff83d54e0d9189d3a08d02a6bbb0ffa5c3b161df462780e0ee2d2d

  • SHA512

    9eea5545db4bd2c4f898f3ca733af839e710754a417615a926df95279db6b3803c230f0f083e5ac4248c4ed8e67e47f4c7fb5a08c5c042da5ecc2c291a363084

  • SSDEEP

    768:gGiEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:JiLBWLAWFad8eT4u1N

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost
          4⤵
          • Runs ping.exe
          PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads