Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
20-11-2023 14:33
General
-
Target
launcher.bat
-
Size
82B
-
MD5
57a97b0b1b4d1f1418acb99e27c61423
-
SHA1
bd9a011eeaf67e32a0242675ee2214105947a408
-
SHA256
aa64b11b87f40593764f6b9a9fb2b87ab0cce1059305834862be0a5844308b7d
-
SHA512
c72c6cdd07d9ee843d2bdc7a5eb19e3c29caf2781535b6ceafcf3a0cc63ef2ca57cc26da9b9c7e6ae08e031295c9fb6651a86e7d0502715a6fbddde53417b466
Score
10/10
Malware Config
Signatures
-
Detects PikaBot botnet 8 IoCs
-
PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
-
Suspicious use of SetThreadContext 2 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\whoami.exewhoami.exe /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw2⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2960-0-0x0000000000AF0000-0x0000000000AF3000-memory.dmpFilesize
12KB
-
memory/2960-1-0x0000000010000000-0x00000000100C7000-memory.dmpFilesize
796KB
-
memory/2960-6-0x000000006FC80000-0x000000006FDD5000-memory.dmpFilesize
1.3MB
-
memory/3156-35-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3156-34-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-7-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-9-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-10-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-12-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-13-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-16-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB