Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 11:00
Static task
static1
Behavioral task
behavioral1
Sample
MGIU.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
General
-
Target
MGIU.exe
-
Size
1.4MB
-
MD5
cf435e0b10436bc7b504d6d4689e626c
-
SHA1
9da40327c2638b56e79e21bdb3871e4fb2fa669d
-
SHA256
3ba4bdd4bcea3f61fb13239dda807dc46d43af3e0f4d3b80caaac625e07a6cfa
-
SHA512
02e12e4a129b418aa95db9c33f39d6600b4ec2a7ca687fffabbc33b4c51b5103e85ff16ad0e90690112a4f6e7d4a226c1d385ac2e603e18b0c3341d53674970a
-
SSDEEP
24576:A3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6S:TmYqHU7pHYY00VcCDdowG3tMa6S
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1864 set thread context of 1384 1864 MGIU.exe 94 -
Program crash 1 IoCs
pid pid_target Process procid_target 4316 1864 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe 1864 MGIU.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 1864 MGIU.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94 PID 1864 wrote to memory of 1384 1864 MGIU.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\MGIU.exe"C:\Users\Admin\AppData\Local\Temp\MGIU.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵PID:1384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 4922⤵
- Program crash
PID:4316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1864 -ip 18641⤵PID:4296