Overview

overview

10

Static

static

3

a7122f6a29...7b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    242s
  • max time network
    270s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll

  • Size

    455KB

  • MD5

    87dc797b60c660967550e977c456bbbb

  • SHA1

    958cb16f78f766ad9dc248a2651cf7fce324bc54

  • SHA256

    a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b

  • SHA512

    728eb8588ae47e268cc23b3adcc047e043acd0ce5b1d04854a1cc058b43f3bb816c6453cebf22a6f5482fcd6d0cd02972b803a23fe9046ccf8f644c3a57977ca

  • SSDEEP

    6144:zfDT6Bf++wbTPg37B+fEktaw9p/TEkMxp+aiCrIB28UJ1F5FRpS0X:Ha5sTPgrB+fl/TEkMqaHrIByJ13pR

Score
10/10
pikabotbotnetpersistence

Malware Config

Signatures

  • Detects PikaBot botnet 2 IoCs
  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll,DllInstall
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7122f6a2953f7c5960747cc165308fc3a33a7cb5e6b0093cff2855db2ecce7b.dll,DllInstall
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\SysWOW64\wermgr.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\SysWOW64\whoami.exe
          whoami.exe /all
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3696
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig.exe /all
          4⤵
          • Gathers network information
          PID:852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4896-0-0x00000000008B0000-0x00000000008BF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/4896-4-0x00000000008B0000-0x00000000008BF000-memory.dmp
    Filesize

    60KB

    Download