Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2023 22:14
Behavioral task
behavioral1
Sample
pikabot_core.dll
Resource
win7-20230712-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
pikabot_core.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
pikabot_core.dll
-
Size
38KB
-
MD5
9cd94c8ac5c05061bcd4edb8c1e7f8f4
-
SHA1
d722c153c9ea0b627b09346f1e9e6deec4c3cbe0
-
SHA256
11cbb0233aff83d54e0d9189d3a08d02a6bbb0ffa5c3b161df462780e0ee2d2d
-
SHA512
9eea5545db4bd2c4f898f3ca733af839e710754a417615a926df95279db6b3803c230f0f083e5ac4248c4ed8e67e47f4c7fb5a08c5c042da5ecc2c291a363084
-
SSDEEP
768:gGiEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:JiLBWLAWFad8eT4u1N
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exedescription pid process target process PID 1884 wrote to memory of 3764 1884 regsvr32.exe regsvr32.exe PID 1884 wrote to memory of 3764 1884 regsvr32.exe regsvr32.exe PID 1884 wrote to memory of 3764 1884 regsvr32.exe regsvr32.exe PID 3764 wrote to memory of 2904 3764 regsvr32.exe cmd.exe PID 3764 wrote to memory of 2904 3764 regsvr32.exe cmd.exe PID 3764 wrote to memory of 2904 3764 regsvr32.exe cmd.exe PID 2904 wrote to memory of 1824 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 1824 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 1824 2904 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\pikabot_core.dll2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\cmd.execmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
PID:1824
-
-
-