Analysis
-
max time kernel
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
submitted
10-01-2024 23:56
Static task
static1
1 signatures
General
Malware Config
Extracted
Family
pikabot
C2
192.248.174.52:5631
109.123.227.104:2221
65.20.98.24:13783
154.38.184.3:2223
155.138.203.158:1194
210.243.8.247:23399
139.180.185.171:2222
154.221.30.136:13724
65.20.82.254:5243
Signatures
-
Detects PikaBot botnet 4 IoCs
resource yara_rule behavioral1/memory/4824-1-0x0000000000400000-0x000000000044F000-memory.dmp family_pikabot_v2 behavioral1/memory/4824-0-0x0000000000400000-0x000000000044F000-memory.dmp family_pikabot_v2 behavioral1/memory/4824-2-0x0000000000400000-0x000000000044F000-memory.dmp family_pikabot_v2 behavioral1/memory/4824-5-0x0000000000400000-0x000000000044F000-memory.dmp family_pikabot_v2 -
Pikabot family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3648 set thread context of 4824 3648 rundll32.exe 17 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchProtocolHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4824 SearchProtocolHost.exe 4824 SearchProtocolHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 3648 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3648 4272 rundll32.exe 14 PID 4272 wrote to memory of 3648 4272 rundll32.exe 14 PID 4272 wrote to memory of 3648 4272 rundll32.exe 14 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17 PID 3648 wrote to memory of 4824 3648 rundll32.exe 17
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1179516c0fe8cbf69566d5db63c6d1d7d02d67b04eae5800f9a950fb07fee81.dll,#11⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1179516c0fe8cbf69566d5db63c6d1d7d02d67b04eae5800f9a950fb07fee81.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4272