Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
22/06/2024, 17:36
240622-v6w45swhkc 1016/11/2023, 07:55
231116-jr41nahf9v 315/11/2023, 14:30
231115-rvbghsbd22 3Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 14:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
pikabot.exe
Resource
win10v2004-20231023-en
4 signatures
150 seconds
General
-
Target
pikabot.exe
-
Size
306KB
-
MD5
a12001230dd6f5ca67f7935bcfdcd650
-
SHA1
fd39ca7366ca63f15a6e61e2cbda9195077a83b6
-
SHA256
39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206
-
SHA512
224d6c55953440d894d84787a88f6230964a9ec44f323dcdc49ebd9722cc5426719f36d202b586f408d0bd8d4e1502ba7edbb9037c500b1cab31242ada6bce91
-
SSDEEP
3072:engX9CnOMcKVtnEcoVzr4j0NnRT+JwMU3AWoeFE1YerPvbyg1ihk6kvtfGq0ev37:EZ7ZGVzr4jq5kJRwFE77arkR10efUKh
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3196 netstat.exe 4348 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3004 pikabot.exe 3004 pikabot.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 2824 whoami.exe Token: SeDebugPrivilege 3196 netstat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2824 3004 pikabot.exe 92 PID 3004 wrote to memory of 2824 3004 pikabot.exe 92 PID 3004 wrote to memory of 2824 3004 pikabot.exe 92 PID 3004 wrote to memory of 4348 3004 pikabot.exe 94 PID 3004 wrote to memory of 4348 3004 pikabot.exe 94 PID 3004 wrote to memory of 4348 3004 pikabot.exe 94 PID 3004 wrote to memory of 3196 3004 pikabot.exe 99 PID 3004 wrote to memory of 3196 3004 pikabot.exe 99 PID 3004 wrote to memory of 3196 3004 pikabot.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\pikabot.exe"C:\Users\Admin\AppData\Local\Temp\pikabot.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\whoami.exewhoami.exe /all2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all2⤵
- Gathers network information
PID:4348
-
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3196
-