Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2023 14:33
Static task
static1
Behavioral task
behavioral1
Sample
AlmiqueArtilleryman_pkb3.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
AlmiqueArtilleryman_pkb3.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
launcher.bat
Resource
win7-20231023-en
General
-
Target
launcher.bat
-
Size
82B
-
MD5
57a97b0b1b4d1f1418acb99e27c61423
-
SHA1
bd9a011eeaf67e32a0242675ee2214105947a408
-
SHA256
aa64b11b87f40593764f6b9a9fb2b87ab0cce1059305834862be0a5844308b7d
-
SHA512
c72c6cdd07d9ee843d2bdc7a5eb19e3c29caf2781535b6ceafcf3a0cc63ef2ca57cc26da9b9c7e6ae08e031295c9fb6651a86e7d0502715a6fbddde53417b466
Malware Config
Signatures
-
Detects PikaBot botnet 8 IoCs
Processes:
resource yara_rule behavioral4/memory/3416-7-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3416-9-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3416-10-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3416-12-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3416-13-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3416-16-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3156-35-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 behavioral4/memory/3156-34-0x00000000003D0000-0x0000000000421000-memory.dmp family_pikabot_v2 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2960 set thread context of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 3308 set thread context of 3156 3308 rundll32.exe SearchProtocolHost.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 1724 ipconfig.exe 1448 netstat.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1044 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SearchProtocolHost.exepid process 3416 SearchProtocolHost.exe 3416 SearchProtocolHost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2960 rundll32.exe 3308 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2960 rundll32.exe 3308 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
whoami.exenetstat.exedescription pid process Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 416 whoami.exe Token: SeDebugPrivilege 1448 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2336 wrote to memory of 3568 2336 cmd.exe rundll32.exe PID 2336 wrote to memory of 3568 2336 cmd.exe rundll32.exe PID 3568 wrote to memory of 2960 3568 rundll32.exe rundll32.exe PID 3568 wrote to memory of 2960 3568 rundll32.exe rundll32.exe PID 3568 wrote to memory of 2960 3568 rundll32.exe rundll32.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe PID 2960 wrote to memory of 3416 2960 rundll32.exe SearchProtocolHost.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\whoami.exewhoami.exe /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw2⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2960-0-0x0000000000AF0000-0x0000000000AF3000-memory.dmpFilesize
12KB
-
memory/2960-1-0x0000000010000000-0x00000000100C7000-memory.dmpFilesize
796KB
-
memory/2960-6-0x000000006FC80000-0x000000006FDD5000-memory.dmpFilesize
1.3MB
-
memory/3156-35-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3156-34-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-7-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-9-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-10-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-12-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-13-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB
-
memory/3416-16-0x00000000003D0000-0x0000000000421000-memory.dmpFilesize
324KB