Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
b26eea12f0335364ffc49ecd7b04865d451f4f227724458ce1412cfd841350ee.js
Resource
win7-20240221-en
General
-
Target
b26eea12f0335364ffc49ecd7b04865d451f4f227724458ce1412cfd841350ee.js
-
Size
31KB
-
MD5
e9c73ed6c39e2ef61523b30276577627
-
SHA1
f35c4cc45bfc6c9e0572a6a66237059e025b01d4
-
SHA256
b26eea12f0335364ffc49ecd7b04865d451f4f227724458ce1412cfd841350ee
-
SHA512
e4d6fae624e925476e0426d4e22f726cdfe675dc3414123ddbf061b34cf07558ec77fea4e91537f790e7e5fcc0bd78686a9344773fb9a006bcee423b37476d7a
-
SSDEEP
768:EDUXzs48+bNw749cw19CTW3YUwPyTUPu6a/n5/:EDcIcq7cZ9+AYFyTv6a/5/
Malware Config
Extracted
pikabot
158.220.95.214
172.232.208.90
194.233.91.144
158.220.95.215
84.247.157.112
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
wscript.exeflow pid process 4 3604 wscript.exe 8 3604 wscript.exe 10 3604 wscript.exe 12 3604 wscript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
vx.exepid process 3476 vx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vx.exedescription pid process target process PID 3476 set thread context of 1288 3476 vx.exe ctfmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vx.exepid process 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe 3476 vx.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vx.exepid process 3476 vx.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
vx.exepid process 3476 vx.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exevx.exedescription pid process target process PID 3604 wrote to memory of 3476 3604 wscript.exe vx.exe PID 3604 wrote to memory of 3476 3604 wscript.exe vx.exe PID 3604 wrote to memory of 3476 3604 wscript.exe vx.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe PID 3476 wrote to memory of 1288 3476 vx.exe ctfmon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\b26eea12f0335364ffc49ecd7b04865d451f4f227724458ce1412cfd841350ee.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\users\public\vx.exe"C:\users\public\vx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vx.exeFilesize
1.3MB
MD53e56975127f436aa5e8a9b9c7af5eb23
SHA1acbf171b31c25a66d7af44bf9e1f5666acaa3f2c
SHA2567d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e
SHA512f1a2d4dcc0531ee08c3b5e407b7e250743c15d0e2f320a9d74e933a94791d1185a9dc6f5f28b9e3bc8bbc364b3c98fc72e936c45b88279c773ea4507e24b3e9f
-
memory/1288-23-0x0000000000FD0000-0x0000000000FEA000-memory.dmpFilesize
104KB
-
memory/1288-28-0x0000000000FD0000-0x0000000000FEA000-memory.dmpFilesize
104KB
-
memory/3476-19-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/3476-21-0x0000000002460000-0x0000000002493000-memory.dmpFilesize
204KB
-
memory/3476-22-0x00000000022E0000-0x00000000022F3000-memory.dmpFilesize
76KB
-
memory/3476-32-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/3476-34-0x0000000002460000-0x0000000002493000-memory.dmpFilesize
204KB