Overview

overview

10

Static

static

1

MGIU.exe

windows7-x64

1

MGIU.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MGIU.exe

  • Size

    1.4MB

  • MD5

    cf435e0b10436bc7b504d6d4689e626c

  • SHA1

    9da40327c2638b56e79e21bdb3871e4fb2fa669d

  • SHA256

    3ba4bdd4bcea3f61fb13239dda807dc46d43af3e0f4d3b80caaac625e07a6cfa

  • SHA512

    02e12e4a129b418aa95db9c33f39d6600b4ec2a7ca687fffabbc33b4c51b5103e85ff16ad0e90690112a4f6e7d4a226c1d385ac2e603e18b0c3341d53674970a

  • SSDEEP

    24576:A3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6S:TmYqHU7pHYY00VcCDdowG3tMa6S

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

109.199.99.131

154.38.175.241

23.226.138.143

23.226.138.161

145.239.135.24

178.18.246.136

141.95.106.106

104.129.55.105

57.128.165.176

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MGIU.exe
    "C:\Users\Admin\AppData\Local\Temp\MGIU.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
        PID:1384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 492
        2⤵
        • Program crash
        PID:4316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1864 -ip 1864
      1⤵
        PID:4296

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1384-1-0x0000000000780000-0x0000000000799000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1384-6-0x0000000000780000-0x0000000000799000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1864-0-0x0000000000850000-0x0000000000883000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1864-12-0x0000000000850000-0x0000000000883000-memory.dmp
        Filesize

        204KB

        Download