Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2023 22:14

General

  • Target

    pikabot_core.dll

  • Size

    38KB

  • MD5

    9cd94c8ac5c05061bcd4edb8c1e7f8f4

  • SHA1

    d722c153c9ea0b627b09346f1e9e6deec4c3cbe0

  • SHA256

    11cbb0233aff83d54e0d9189d3a08d02a6bbb0ffa5c3b161df462780e0ee2d2d

  • SHA512

    9eea5545db4bd2c4f898f3ca733af839e710754a417615a926df95279db6b3803c230f0f083e5ac4248c4ed8e67e47f4c7fb5a08c5c042da5ecc2c291a363084

  • SSDEEP

    768:gGiEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:JiLBWLAWFad8eT4u1N

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost
          4⤵
          • Runs ping.exe
          PID:1824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads