Overview

overview

10

Static

static

1

Installer (1).msi

windows10-2004-x64

10

Resubmissions

28-12-2023 13:55

231228-q77j2seeb9 10

15-12-2023 22:14

231215-15mf7shecm 8

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer (1).msi

  • Size

    1.4MB

  • MD5

    f3805cdf687890992345aaa4577b86a4

  • SHA1

    697362f0a495bc1fc692f8bc3b12a81522404cc5

  • SHA256

    514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

  • SHA512

    6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

  • SSDEEP

    24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl

Score
10/10
pikabotbotnetdave

Malware Config

Signatures

  • Detect Pikabot payload 4 IoCs

    Detect Pikabot payload.

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3716
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2008
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding AA8D9AF0C7AE7EE7E5E8B39DD740A0EE
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Windows\SysWOW64\SearchProtocolHost.exe
          "C:\Windows\System32\SearchProtocolHost.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3152
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3608

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57a828.rbs
      Filesize

      8KB

      MD5

      58d3f3fddc96f7fbe8c906a207c16e3f

      SHA1

      fdf4d2162d2c5b96e63fc282f267789ce0a0e455

      SHA256

      c5370295ed5f94933ff0a250688f56cf68daa819562bbdbf4c8556c71d345bc5

      SHA512

      5eef66e641c5276a24daa81cccc28c0850f8f7343ac99e479bbc62fb410c2835a4088f2f735323b974c538a9a589727d0f4d0009617c0e9548f6d4c5c02f3eb7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
      Filesize

      45KB

      MD5

      c9c41ef92b3985f2602706c78160945c

      SHA1

      75e94e9f9aee0ab17b96a612c0da6fef788eeb99

      SHA256

      a177cd84c26e52a824b925dcff802f9c57fb7b7aa12877d1eef572210367f64f

      SHA512

      302a05eb03d6a718ab7b58e1807ddc8efa102440e3db7d76396244b53f1ead4d934dd1e8ed999d0d65c760479276820a0694b8a35c56808f3ed0c860432eaa76

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
      Filesize

      727B

      MD5

      7a3b8457313a521e0d44f91765a4e041

      SHA1

      4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

      SHA256

      2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

      SHA512

      7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
      Filesize

      314B

      MD5

      77cfcc97dbfb1a7c5c04fac72189521c

      SHA1

      c037b6e63b3dab3fec940a6872ad59dc8f420581

      SHA256

      b33f8dc77988beb2deb735de244cf37c3840e9c715754b8a2503c0014b3c19e5

      SHA512

      a4ef4fc15839ef241993f167bb68479e3d465ae6a26c8285a2acaf8059813216583aa265c0b185f5cece39b2ac50cb31ae1ed9ee615a0fcd816984093441a07f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
      Filesize

      478B

      MD5

      628188d5d3ec1fb861abafe11044d5a3

      SHA1

      9205d9aee14bb3dfc01c3b3a7e5d2e1dad9e61c0

      SHA256

      1b2547e7afd3d842b3cd5d14979675b85db92b75c39c33c276145efdef2e3d90

      SHA512

      8c9f2e2feeee5e190065219c132d04da1365991ca38b82dae1cbea3e8b5d8af4a53c6022d1fc3ffe593a425d2c823c014dce20ac6ad1f3541245b4763647bec4

      Download Submit
    • C:\Windows\Installer\MSIA922.tmp
      Filesize

      832KB

      MD5

      7e5ab6a503580519314c91cc467a1f05

      SHA1

      d869593bbdb597cc84d40bcae3a71b7d7f638d01

      SHA256

      619edc1fe110b4ea89493d1ead9d6b5bf0851fe0fb1e93dba1dfabdf68326328

      SHA512

      9c4dbab75ea2dee7e32b14372416621cb14cb865c6dc5ada97062d1a38cd48fb917c53dfd19b50aaf2342fd2effab418e69cf081fb19ab9e0628b15ad978c0fe

      Download Submit
    • C:\Windows\Installer\MSIA922.tmp
      Filesize

      768KB

      MD5

      f087631fbf8f8b9b4bcf91ff6a78c813

      SHA1

      71966d01bebba4f501f23c840c73691d1d52abe2

      SHA256

      73bc090115ceb5ef4c2a339d96cf9ea175d4acfefca20d82d26f24cc6609ef18

      SHA512

      1f4c3244e6eedebf4560aa96860eaea9a2ad059bc1fdc62047e82ada6439f888da5cfdb2f3a6deb0284a3a3a129e5ba733886b87c0c46e39198f86b12e3db779

      Download Submit
    • C:\Windows\Installer\e57a827.msi
      Filesize

      1.4MB

      MD5

      f3805cdf687890992345aaa4577b86a4

      SHA1

      697362f0a495bc1fc692f8bc3b12a81522404cc5

      SHA256

      514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

      SHA512

      6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      1.3MB

      MD5

      db8eb37668277641eb11b24df2071150

      SHA1

      bde78696435d15ff753cb966865f18309d7c5360

      SHA256

      e4291b2aefaee60128b44d204735e382d43d1dc01ae6c4b9ce9f05e11e71fe96

      SHA512

      9470adbb857222716b30143f4b12471a7c2c71e08a04b2f67dfbcf3609a0db3f4f228402b883cdda76fab3bc6d99bb31710ac0ce51e103f6c167f6466e6cb2b1

      Download Submit
    • \??\Volume{119bf5f3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dfb9a67c-fba7-408f-bf8f-565ba353218a}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      37a7e4dc75f9671638b5982da0638d36

      SHA1

      488606e5222b1fb1ddf61d1757ccf0c62384dedf

      SHA256

      8af5b892922cd87b844b375d955d7c027e580e93381c14f6f2a3aa1b85188ce9

      SHA512

      2f881487a7407fb150c349e98154b73ab6a0517242775d0a47609ad5c5cd5a29dd6dab4da695424ed16d969db50cc51b7397f88cdc0974573b85c50f9a686148

      Download Submit
    • memory/3152-35-0x0000000000CF0000-0x0000000000D41000-memory.dmp
      Filesize

      324KB

      Download
    • memory/3152-36-0x0000000000CF0000-0x0000000000D41000-memory.dmp
      Filesize

      324KB

      Download
    • memory/3152-55-0x0000000000CF0000-0x0000000000D41000-memory.dmp
      Filesize

      324KB

      Download
    • memory/3152-56-0x0000000000CF0000-0x0000000000D41000-memory.dmp
      Filesize

      324KB

      Download
    • memory/4696-25-0x0000000010000000-0x0000000010154000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4696-27-0x00000000032A0000-0x0000000003324000-memory.dmp
      Filesize

      528KB

      Download
    • memory/4696-26-0x0000000003330000-0x00000000033B7000-memory.dmp
      Filesize

      540KB

      Download
    • memory/4696-31-0x00000000033C0000-0x0000000003444000-memory.dmp
      Filesize

      528KB

      Download