Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
ER.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
General
-
Target
ER.exe
-
Size
1.4MB
-
MD5
c38dd211b6f0360a53fc0c70fc6d3529
-
SHA1
7670dbdaa159f4f82777899836d09047d5d739fb
-
SHA256
be992d892d7448e2fe6d6bb0f6de72fbb247ef068e6cbb8c302a2486a8aceebb
-
SHA512
c9062f598fe4721e96c7224424939dfa3890dcb6025396f8a64a993d74b9e596bd330e9c2d8c624d36550626389a87e6281d057c1bf28d3da6314ba66c77e8ab
-
SSDEEP
24576:i3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6:tmYqHU7pHYY00VcCDdowG3tMa6
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ER.exedescription pid process target process PID 1080 set thread context of 4844 1080 ER.exe ctfmon.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 688 1080 WerFault.exe ER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ER.exepid process 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe 1080 ER.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
ER.exepid process 1080 ER.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ER.exedescription pid process target process PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe PID 1080 wrote to memory of 4844 1080 ER.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ER.exe"C:\Users\Admin\AppData\Local\Temp\ER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 4962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1080 -ip 10801⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-0-0x0000000000750000-0x0000000000783000-memory.dmpFilesize
204KB
-
memory/1080-12-0x0000000000750000-0x0000000000783000-memory.dmpFilesize
204KB
-
memory/4844-6-0x0000000000720000-0x0000000000739000-memory.dmpFilesize
100KB
-
memory/4844-1-0x0000000000720000-0x0000000000739000-memory.dmpFilesize
100KB