Analysis
-
max time kernel
244s -
max time network
252s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
23-02-2024 14:18
General
-
Target
EK.exe
-
Size
1.4MB
-
MD5
ea47545ac9ca1b7915b8567c84ef6f47
-
SHA1
961f43b020e27b8bc66de92ca73c52759af78bb0
-
SHA256
60ffa2a4c96b8f2a95602fc190cabedf4c5860f8514a648b601f0a96fc6da7de
-
SHA512
0936ea4e1a926c8eee1614302077585aa60070b265e861be56da62aa2a6d7ecc823934b3bc833f00c7c884628b69a0f737e5bf21248b6328ab08891457ddc33e
-
SSDEEP
24576:D3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6O:2mYqHU7pHYY00VcCDdowG3tMa6O
Score
10/10
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 45 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EK.exe"C:\Users\Admin\AppData\Local\Temp\EK.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 4962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3168 -ip 31681⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-1-0x0000000000A80000-0x0000000000A99000-memory.dmpFilesize
100KB
-
memory/1488-6-0x0000000000A80000-0x0000000000A99000-memory.dmpFilesize
100KB
-
memory/3168-0-0x0000000000860000-0x0000000000893000-memory.dmpFilesize
204KB
-
memory/3168-12-0x0000000000860000-0x0000000000893000-memory.dmpFilesize
204KB
-
memory/4448-15-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-14-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-13-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-19-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-20-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-21-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-22-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-23-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-24-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB
-
memory/4448-25-0x0000028E5B900000-0x0000028E5B901000-memory.dmpFilesize
4KB