pikabot | a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b

General

Target

a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll
Size

455KB
MD5

87dc797b60c660967550e977c456bbbb
SHA1

958cb16f78f766ad9dc248a2651cf7fce324bc54
SHA256

a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b
SHA512

728eb8588ae47e268cc23b3adcc047e043acd0ce5b1d04854a1cc058b43f3bb816c6453cebf22a6f5482fcd6d0cd02972b803a23fe9046ccf8f644c3a57977ca
SSDEEP

6144:zfDT6Bf++wbTPg37B+fEktaw9p/TEkMxp+aiCrIB28UJ1F5FRpS0X:Ha5sTPgrB+fl/TEkMqaHrIByJ13pR

Score

10^/10

Malware Config

Signatures

Detects PikaBot botnet 2 IoCs

resource	yara_rule
behavioral1/memory/4896-0-0x00000000008B0000-0x00000000008BF000-memory.dmp	family_pikabot
behavioral1/memory/4896-4-0x00000000008B0000-0x00000000008BF000-memory.dmp	family_pikabot

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unbevelledHamuli = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cimeter\\unbevelledHamuli.dll\" "	wermgr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 4896	2644	rundll32.exe	97

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
852	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4896	wermgr.exe
4896	wermgr.exe
4896	wermgr.exe
4896	wermgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2644	rundll32.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe
Token: SeDebugPrivilege	3696	whoami.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2644	2608	rundll32.exe	86
PID 2608 wrote to memory of 2644	2608	rundll32.exe	86
PID 2608 wrote to memory of 2644	2608	rundll32.exe	86
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 2644 wrote to memory of 4896	2644	rundll32.exe	97
PID 4896 wrote to memory of 3696	4896	wermgr.exe	104
PID 4896 wrote to memory of 3696	4896	wermgr.exe	104
PID 4896 wrote to memory of 3696	4896	wermgr.exe	104
PID 4896 wrote to memory of 852	4896	wermgr.exe	106
PID 4896 wrote to memory of 852	4896	wermgr.exe	106
PID 4896 wrote to memory of 852	4896	wermgr.exe	106

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll,DllInstall
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll,DllInstall
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\SysWOW64\wermgr.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\whoami.exe
      whoami.exe /all
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig.exe /all
      4⤵
      Gathers network information
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4896-0-0x00000000008B0000-0x00000000008BF000-memory.dmp

Filesize
60KB

Download
memory/4896-4-0x00000000008B0000-0x00000000008BF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads