Overview

overview

10

Static

static

3

AlmiqueArt...kb.dll

windows7-x64

3

AlmiqueArt...kb.dll

windows10-2004-x64

3

launcher.bat

windows7-x64

1

launcher.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2023 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.bat

  • Size

    78B

  • MD5

    b798e505cab8b4485e6564c2ebe7ca9a

  • SHA1

    dcae7a12511993699e426df80c6a685f0b516d49

  • SHA256

    6c09f67e986a895de62234143490469fcc8bc393c4cc5e8d58346ea5e6f77395

  • SHA512

    9743066cbd1ce7d2795dfbe97ad268258fadd7846bbd9e3ccd25db613d11653fabfd7c1501becad4a5bae332629e8275cedbdd292584ac856770b57d581100bb

Score
10/10
pikabotbotnet

Malware Config

Signatures

  • Detects PikaBot botnet 6 IoCs
  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\system32\rundll32.exe
      rundll32.exe AlmiqueArtilleryman_pkb.dll, Throw
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe AlmiqueArtilleryman_pkb.dll, Throw
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\SearchProtocolHost.exe
          "C:\Windows\System32\SearchProtocolHost.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1140
          • C:\Windows\SysWOW64\whoami.exe
            whoami.exe /all
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3868
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig.exe /all
            5⤵
            • Gathers network information
            PID:2984
          • C:\Windows\SysWOW64\netstat.exe
            netstat.exe -aon
            5⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-0-0x0000000000FD0000-0x0000000000FD3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/748-1-0x0000000010000000-0x00000000100C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/748-6-0x000000006FC80000-0x000000006FDD5000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1140-7-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-9-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-10-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-12-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-13-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-16-0x0000000000840000-0x0000000000891000-memory.dmp

    Filesize

    324KB

    Download