pikabot | 2392e38bed349ec4b17a05fd93c7a5ca7eae373f8d0e3395a8c021f0d8eb5fe0

General

Target

launcher.bat
Size

86B
MD5

ff6177f24a11eaaa28c0a98fab30a4f5
SHA1

ba676bbe65a5bbce6ae0d853dd1436fce3d50a6f
SHA256

ab163a91b6577a3f14dfb859a20c06314673c87e5d6e1c11f4793eb741d05071
SHA512

d54b744cd38278ce3172e36db6dd15ed5e01588cb612bc43898ee53d1b24ee79706f30052b289c34c17d34508b1f0486164003bb78ea25ef8670dceb8b8da636

Score

10^/10

pikabot botnet

Malware Config

Signatures

Detects PikaBot botnet 6 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2240-7-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2
behavioral4/memory/2240-9-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2
behavioral4/memory/2240-10-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2
behavioral4/memory/2240-12-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2
behavioral4/memory/2240-13-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2
behavioral4/memory/2240-16-0x0000000000F60000-0x0000000000FB1000-memory.dmp	family_pikabot_v2

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 628 set thread context of 2240 628 rundll32.exe SearchProtocolHost.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exenetstat.exe

pid process

3360 ipconfig.exe
2256 netstat.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3228 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SearchProtocolHost.exe

pid process

2240 SearchProtocolHost.exe
2240 SearchProtocolHost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

628 rundll32.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

rundll32.exe

pid process

628 rundll32.exe

description	pid	process	target process
PID 628 set thread context of 2240	628	rundll32.exe	SearchProtocolHost.exe

pid	process
3360	ipconfig.exe
2256	netstat.exe

pid	process
3228	NOTEPAD.EXE

pid	process
2240	SearchProtocolHost.exe
2240	SearchProtocolHost.exe

pid	process
628	rundll32.exe

pid	process
628	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exenetstat.exe

description	pid	process
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	3532	whoami.exe
Token: SeDebugPrivilege	2256	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1204 wrote to memory of 4796	1204	cmd.exe	rundll32.exe
PID 1204 wrote to memory of 4796	1204	cmd.exe	rundll32.exe
PID 4796 wrote to memory of 628	4796	rundll32.exe	rundll32.exe
PID 4796 wrote to memory of 628	4796	rundll32.exe	rundll32.exe
PID 4796 wrote to memory of 628	4796	rundll32.exe	rundll32.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 2240	628	rundll32.exe	SearchProtocolHost.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\AlmiqueArtilleryman_pkb2.dll, Throw
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\AlmiqueArtilleryman_pkb2.dll, Throw
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\SearchProtocolHost.exe
      "C:\Windows\System32\SearchProtocolHost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2240
    - - C:\Windows\SysWOW64\whoami.exe
        
        whoami.exe /all
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig.exe /all
        5⤵
        Gathers network information
        
        PID:3360
    - - C:\Windows\SysWOW64\netstat.exe
        
        netstat.exe -aon
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2188

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-0-0x0000000000D70000-0x0000000000D73000-memory.dmp

Filesize
12KB

Download
memory/628-1-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download
memory/628-6-0x000000006FC80000-0x000000006FDD5000-memory.dmp

Filesize
1.3MB

Download
memory/2240-7-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download
memory/2240-9-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download
memory/2240-10-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download
memory/2240-12-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download
memory/2240-13-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download
memory/2240-16-0x0000000000F60000-0x0000000000FB1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads