Overview

overview

10

Static

static

3

1.dll

windows7-x64

1

1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.dll

  • Size

    840KB

  • MD5

    c18ed17355b2cbeb35492c5655ce3169

  • SHA1

    4f6d42a41ed6fa567c8f0f835a2cd5662f7f3978

  • SHA256

    dcbbe31e1100edad1738c3f997543c5085b5b2a5b610dd08ada35427827c1231

  • SHA512

    82d5aa7a1b5d0e48b8532a58f734f1e7840e8a7907bf09677c46d80e43d6cb1cfc2bece10857c9f07a9cde4336bb5d0fee90fa25b38ed1566fcb9426a34b28bf

  • SSDEEP

    24576:ee9nfmpSVmL+Cf72yb1SFEtEfPmY4uRD7HpUMhOw8ghE:dBmpSVmLfCDfPJ4cDFPhmghE

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

154.53.55.165

158.247.240.58

154.12.236.248

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\ctfmon.exe
        "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
        3⤵
          PID:2904
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 628
          3⤵
          • Program crash
          PID:3052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3468 -ip 3468
      1⤵
        PID:5016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:652

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2904-1-0x0000000000CE0000-0x0000000000CF9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/2904-6-0x0000000000CE0000-0x0000000000CF9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/3468-0-0x0000000002030000-0x0000000002066000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3468-12-0x0000000002030000-0x0000000002066000-memory.dmp
          Filesize

          216KB

          Download