Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 14:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-20240220-en
windows7-x64
2 signatures
150 seconds
General
-
Target
1.dll
-
Size
840KB
-
MD5
c18ed17355b2cbeb35492c5655ce3169
-
SHA1
4f6d42a41ed6fa567c8f0f835a2cd5662f7f3978
-
SHA256
dcbbe31e1100edad1738c3f997543c5085b5b2a5b610dd08ada35427827c1231
-
SHA512
82d5aa7a1b5d0e48b8532a58f734f1e7840e8a7907bf09677c46d80e43d6cb1cfc2bece10857c9f07a9cde4336bb5d0fee90fa25b38ed1566fcb9426a34b28bf
-
SSDEEP
24576:ee9nfmpSVmL+Cf72yb1SFEtEfPmY4uRD7HpUMhOw8ghE:dBmpSVmLfCDfPJ4cDFPhmghE
Malware Config
Extracted
Family
pikabot
C2
154.53.55.165
158.247.240.58
154.12.236.248
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3468 set thread context of 2904 3468 rundll32.exe 102 -
Program crash 1 IoCs
pid pid_target Process procid_target 3052 3468 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe 3468 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3468 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 3468 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3396 wrote to memory of 3468 3396 rundll32.exe 93 PID 3396 wrote to memory of 3468 3396 rundll32.exe 93 PID 3396 wrote to memory of 3468 3396 rundll32.exe 93 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102 PID 3468 wrote to memory of 2904 3468 rundll32.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"3⤵PID:2904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 6283⤵
- Program crash
PID:3052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3468 -ip 34681⤵PID:5016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:652