3316b2087e41a54a4bc60bef2058b10a645265e60f965e0c3d71da0bf5e221cd

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pikabotcore.exe
Size

320KB
MD5

3bbf71aeaa85e2774c1d47c0e56e6472
SHA1

4bd1668c397a2e0bcc293bfecd0eee62df947c3a
SHA256

3316b2087e41a54a4bc60bef2058b10a645265e60f965e0c3d71da0bf5e221cd
SHA512

e713984a8a6592ca4cbfe440f24b835fed4700d77270a04743eef443de0b15f7a21d319ba665a65c0b97ef9cf90be70bb276897169e25e9414e02115e148a847
SSDEEP

6144:cewJSTU0kYEti/xN9WpofUGFTT51zFISUumZrkR10efUKJ:nkY7EYtF1ztU3Qztf

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
396	netstat.exe
1220	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	pikabotcore.exe
4604	pikabotcore.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	4660	whoami.exe
Token: SeDebugPrivilege	396	netstat.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4660	4604	pikabotcore.exe	94
PID 4604 wrote to memory of 4660	4604	pikabotcore.exe	94
PID 4604 wrote to memory of 4660	4604	pikabotcore.exe	94
PID 4604 wrote to memory of 1220	4604	pikabotcore.exe	96
PID 4604 wrote to memory of 1220	4604	pikabotcore.exe	96
PID 4604 wrote to memory of 1220	4604	pikabotcore.exe	96
PID 4604 wrote to memory of 396	4604	pikabotcore.exe	98
PID 4604 wrote to memory of 396	4604	pikabotcore.exe	98
PID 4604 wrote to memory of 396	4604	pikabotcore.exe	98

C:\Users\Admin\AppData\Local\Temp\pikabotcore.exe
"C:\Users\Admin\AppData\Local\Temp\pikabotcore.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\whoami.exe
  whoami.exe /all
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe /all
  2⤵
  - Gathers network information
  PID:1220
- C:\Windows\SysWOW64\netstat.exe
  netstat.exe -aon
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads