Overview

overview

10

Static

static

3

f5dea16ddf...af.dll

windows7-x64

1

f5dea16ddf...af.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2023 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll

  • Size

    786KB

  • MD5

    d68ba01bd6938145929e55bebd75f502

  • SHA1

    78b8c5e115da2838db31f7313eee0fb3b02f3f91

  • SHA256

    f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af

  • SHA512

    6684e810b38aaed715ee399c423d2912be14758b90b730c50a1f849a37154c04e8f56382cbbf593aae9924a32ed485e5a5aac30cf8c626dd26ff3b22782cef86

  • SSDEEP

    12288:xPGZgjkXi7AfTvEFL2sxpln1wyxU2mhXG5ko6GJ5+cobTKMz:xuJUUTsFLdxpl1wyxU2MXvb456br

Score
10/10
pikabotbotnet

Malware Config

Signatures

  • Detects PikaBot botnet 6 IoCs
  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5dea16ddf016590f493254c4717f94754380a3c767898a2ef0df6b19c50b7af.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Windows\SysWOW64\SearchProtocolHost.exe
        "C:\Windows\System32\SearchProtocolHost.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5080
        • C:\Windows\SysWOW64\whoami.exe
          whoami.exe /all
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig.exe /all
          4⤵
          • Gathers network information
          PID:2060
        • C:\Windows\SysWOW64\netstat.exe
          netstat.exe -aon
          4⤵
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5080-0-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5080-2-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5080-3-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5080-5-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5080-6-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5080-9-0x0000000000730000-0x0000000000781000-memory.dmp
    Filesize

    324KB

    Download