Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll
Resource
win7-20231020-en
General
-
Target
f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll
-
Size
786KB
-
MD5
d68ba01bd6938145929e55bebd75f502
-
SHA1
78b8c5e115da2838db31f7313eee0fb3b02f3f91
-
SHA256
f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af
-
SHA512
6684e810b38aaed715ee399c423d2912be14758b90b730c50a1f849a37154c04e8f56382cbbf593aae9924a32ed485e5a5aac30cf8c626dd26ff3b22782cef86
-
SSDEEP
12288:xPGZgjkXi7AfTvEFL2sxpln1wyxU2mhXG5ko6GJ5+cobTKMz:xuJUUTsFLdxpl1wyxU2MXvb456br
Malware Config
Signatures
-
Detects PikaBot botnet 6 IoCs
Processes:
resource yara_rule behavioral2/memory/5080-0-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 behavioral2/memory/5080-2-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 behavioral2/memory/5080-3-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 behavioral2/memory/5080-5-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 behavioral2/memory/5080-6-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 behavioral2/memory/5080-9-0x0000000000730000-0x0000000000781000-memory.dmp family_pikabot_v2 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4288 set thread context of 5080 4288 rundll32.exe SearchProtocolHost.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
netstat.exeipconfig.exepid process 1112 netstat.exe 2060 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SearchProtocolHost.exepid process 5080 SearchProtocolHost.exe 5080 SearchProtocolHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 4288 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
rundll32.exepid process 4288 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
whoami.exenetstat.exedescription pid process Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 2712 whoami.exe Token: SeDebugPrivilege 1112 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1268 wrote to memory of 4288 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 4288 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 4288 1268 rundll32.exe rundll32.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe PID 4288 wrote to memory of 5080 4288 rundll32.exe SearchProtocolHost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\whoami.exewhoami.exe /all4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5080-0-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB
-
memory/5080-2-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB
-
memory/5080-3-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB
-
memory/5080-5-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB
-
memory/5080-6-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB
-
memory/5080-9-0x0000000000730000-0x0000000000781000-memory.dmpFilesize
324KB