Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2024, 09:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
pikabot.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
run.bat
-
Size
51B
-
MD5
3044c13a564ee6bd79c39265b2fde131
-
SHA1
cff15aa8a701795e9f33b74862a6543c66fd5907
-
SHA256
4a5ba34c467a320db4a3da2512cf455f9dabf573fd41f5c1ba13becd70cc31aa
-
SHA512
732677b92c94638f477d4b22e94485a8b59fc0bd90bd35ba9fc2497f2fbdca197acd89b432a7ad6f4bc375c28a02aa49248efebfb68a285f94d74adad7d56956
Malware Config
Signatures
-
Detects PikaBot botnet 3 IoCs
resource yara_rule behavioral2/memory/4960-9-0x00000000005F0000-0x0000000000630000-memory.dmp family_pikabot_v2 behavioral2/memory/4960-10-0x00000000005F0000-0x0000000000630000-memory.dmp family_pikabot_v2 behavioral2/memory/4960-11-0x00000000005F0000-0x0000000000630000-memory.dmp family_pikabot_v2 -
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
resource yara_rule behavioral2/memory/4076-3-0x0000000002740000-0x00000000027B3000-memory.dmp dave -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 4960 4076 rundll32.exe 87 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 SearchFilterHost.exe 4960 SearchFilterHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4076 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2940 1184 cmd.exe 85 PID 1184 wrote to memory of 2940 1184 cmd.exe 85 PID 2940 wrote to memory of 4076 2940 rundll32.exe 86 PID 2940 wrote to memory of 4076 2940 rundll32.exe 86 PID 2940 wrote to memory of 4076 2940 rundll32.exe 86 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87 PID 4076 wrote to memory of 4960 4076 rundll32.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\pikabot.dll,Enter2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\pikabot.dll,Enter3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\SearchFilterHost.exe"C:\Windows\System32\SearchFilterHost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
-
-