Overview

overview

10

Static

static

1

0e244c6cec...b3.exe

windows7-x64

1

0e244c6cec...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 09:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e244c6cec7b9ffb12e2d0bca91ccd7a4633189e96b508ea32be7b9eccf186b3.exe

  • Size

    1.4MB

  • MD5

    d4a85a8ca85271cffbd2ada694d3f009

  • SHA1

    50cb1d688973a06b039471323e929bf54341bcf1

  • SHA256

    0e244c6cec7b9ffb12e2d0bca91ccd7a4633189e96b508ea32be7b9eccf186b3

  • SHA512

    b08fa0bb2e0837b8672b54ed763f6458f5c78f21f43f3d2f1b68a2dcc3f5a32725a38c88465e76d38f1d01819c49e768024d0b65624021e51fdb78bc2c964d2b

  • SSDEEP

    24576:d3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6K:ImYqHU7pHYY00VcCDdowG3tMa6K

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

109.199.99.131

154.38.175.241

23.226.138.143

23.226.138.161

145.239.135.24

178.18.246.136

141.95.106.106

104.129.55.105

57.128.165.176

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e244c6cec7b9ffb12e2d0bca91ccd7a4633189e96b508ea32be7b9eccf186b3.exe
    "C:\Users\Admin\AppData\Local\Temp\0e244c6cec7b9ffb12e2d0bca91ccd7a4633189e96b508ea32be7b9eccf186b3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
        PID:5808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 496
        2⤵
        • Program crash
        PID:2208
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4468 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3568 -ip 3568
        1⤵
          PID:2120

        Network

        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          218.110.86.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          218.110.86.104.in-addr.arpa
          IN PTR
          Response
          218.110.86.104.in-addr.arpa
          IN PTR
          a104-86-110-218deploystaticakamaitechnologiescom
        • flag-us
          DNS
          23.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          86.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          86.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          196.249.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          196.249.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          58.55.71.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          58.55.71.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          249.110.86.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          249.110.86.104.in-addr.arpa
          IN PTR
          Response
          249.110.86.104.in-addr.arpa
          IN PTR
          a104-86-110-249deploystaticakamaitechnologiescom
        • flag-us
          DNS
          67.112.168.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          67.112.168.52.in-addr.arpa
          IN PTR
          Response
        • 142.250.187.202:443
          46 B
           40 B
           1
          1
        • 89.117.23.34:5938
          ctfmon.exe
          260 B
           5
        • 37.60.242.85:9785
          ctfmon.exe
          260 B
           5
        • 37.60.242.86:2967
          ctfmon.exe
          260 B
           5
        • 86.38.225.106:2221
          ctfmon.exe
          208 B
           4
        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          218.110.86.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          218.110.86.104.in-addr.arpa

        • 8.8.8.8:53
          23.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          23.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          86.23.85.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          86.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          196.249.167.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          196.249.167.52.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          58.55.71.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          58.55.71.13.in-addr.arpa

        • 8.8.8.8:53
          13.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          13.227.111.52.in-addr.arpa

        • 8.8.8.8:53
          249.110.86.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          249.110.86.104.in-addr.arpa

        • 8.8.8.8:53
          67.112.168.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          67.112.168.52.in-addr.arpa

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3568-0-0x0000000000820000-0x0000000000853000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3568-1-0x0000000000820000-0x0000000000853000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3568-13-0x0000000000820000-0x0000000000853000-memory.dmp

          Filesize

          204KB

          Download

        • memory/5808-2-0x00000000009E0000-0x00000000009F9000-memory.dmp

          Filesize

          100KB

          Download

        • memory/5808-7-0x00000000009E0000-0x00000000009F9000-memory.dmp

          Filesize

          100KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.