Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7d18e238fe...6e.exe

windows7-x64

1

7d18e238fe...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 09:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e.exe

  • Size

    1.3MB

  • MD5

    3e56975127f436aa5e8a9b9c7af5eb23

  • SHA1

    acbf171b31c25a66d7af44bf9e1f5666acaa3f2c

  • SHA256

    7d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e

  • SHA512

    f1a2d4dcc0531ee08c3b5e407b7e250743c15d0e2f320a9d74e933a94791d1185a9dc6f5f28b9e3bc8bbc364b3c98fc72e936c45b88279c773ea4507e24b3e9f

  • SSDEEP

    12288:2jwHlbKaWY6oL1T0uwJ34dW/QtQF5KXGOTBwfRzPZ15HVCjkNMOuEFcd+wtZqA8s:2yHC/QtQF5kGXZPY+1BFc2AZoyLtkwx

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

158.220.95.214

172.232.208.90

194.233.91.144

158.220.95.215

84.247.157.112

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e.exe
    "C:\Users\Admin\AppData\Local\Temp\7d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
        PID:4260

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      4.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      218.110.86.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      218.110.86.104.in-addr.arpa
      IN PTR
      Response
      218.110.86.104.in-addr.arpa
      IN PTR
      a104-86-110-218deploystaticakamaitechnologiescom
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-sg
      POST
      https://194.233.91.144:5000/api/admin.conversations.delete
      ctfmon.exe
      Remote address:
      194.233.91.144:5000
      Request
      POST /api/admin.conversations.delete HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 194.233.91.144:5000
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:57:40 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      144.91.233.194.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      144.91.233.194.in-addr.arpa
      IN PTR
      Response
      144.91.233.194.in-addr.arpa
      IN PTR
      vmd132936 contaboservernet
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-de
      POST
      https://213.199.41.33:13721/api/admin.teams.settings.setName
      ctfmon.exe
      Remote address:
      213.199.41.33:13721
      Request
      POST /api/admin.teams.settings.setName HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 213.199.41.33:13721
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:57:41 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      33.41.199.213.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      33.41.199.213.in-addr.arpa
      IN PTR
      Response
      33.41.199.213.in-addr.arpa
      IN PTR
      vmd132993 contaboservernet
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-gb
      POST
      https://158.220.95.214:5243/api/apps.permissions.users.list
      ctfmon.exe
      Remote address:
      158.220.95.214:5243
      Request
      POST /api/apps.permissions.users.list HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 158.220.95.214:5243
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:58:30 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      214.95.220.158.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      214.95.220.158.in-addr.arpa
      IN PTR
      Response
      214.95.220.158.in-addr.arpa
      IN PTR
      vmd133007 contaboservernet
    • flag-de
      POST
      https://84.247.157.112:13783/api/admin.usergroups.addTeams
      ctfmon.exe
      Remote address:
      84.247.157.112:13783
      Request
      POST /api/admin.usergroups.addTeams HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 84.247.157.112:13783
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:58:33 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      112.157.247.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      112.157.247.84.in-addr.arpa
      IN PTR
      Response
      112.157.247.84.in-addr.arpa
      IN PTR
      vmd132945 contaboservernet
    • flag-sg
      POST
      https://194.233.91.144:5000/api/admin.conversations.rename
      ctfmon.exe
      Remote address:
      194.233.91.144:5000
      Request
      POST /api/admin.conversations.rename HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 194.233.91.144:5000
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:59:03 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-de
      POST
      https://213.199.41.33:13721/api/admin.teams.owners.list
      ctfmon.exe
      Remote address:
      213.199.41.33:13721
      Request
      POST /api/admin.teams.owners.list HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Accept: */*
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-US,en;q=0.8
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; A7F; BRI/2; Tablet PC 2.0; wbx 1.0.0; Microsoft Outlook 14.0.7233; ms-office;
      Content-Length: 5388
      Host: 213.199.41.33:13721
      Response
      HTTP/1.1 502 Bad Gateway
      Server: nginx
      Date: Tue, 02 Apr 2024 09:59:05 GMT
      Content-Type: text/html
      Content-Length: 552
      Connection: keep-alive
    • flag-us
      DNS
      131.72.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.72.42.20.in-addr.arpa
      IN PTR
      Response
    • 20.231.121.79:80
      46 B
       1
    • 158.220.95.215:5242
      ctfmon.exe
      260 B
       5
    • 194.233.91.144:5000
      https://194.233.91.144:5000/api/admin.conversations.delete
      tls, http
      ctfmon.exe
      6.9kB
       3.7kB
       15
      11

      HTTP Request

      POST https://194.233.91.144:5000/api/admin.conversations.delete

      HTTP Response

      502
    • 213.199.41.33:13721
      https://213.199.41.33:13721/api/admin.teams.settings.setName
      tls, http
      ctfmon.exe
      6.8kB
       3.7kB
       14
      12

      HTTP Request

      POST https://213.199.41.33:13721/api/admin.teams.settings.setName

      HTTP Response

      502
    • 172.232.208.90:2223
      ctfmon.exe
      260 B
       5
    • 64.23.199.206:1194
      ctfmon.exe
      260 B
       5
    • 158.220.95.214:5243
      https://158.220.95.214:5243/api/apps.permissions.users.list
      tls, http
      ctfmon.exe
      6.7kB
       3.5kB
       11
      9

      HTTP Request

      POST https://158.220.95.214:5243/api/apps.permissions.users.list

      HTTP Response

      502
    • 84.247.157.112:13783
      https://84.247.157.112:13783/api/admin.usergroups.addTeams
      tls, http
      ctfmon.exe
      6.7kB
       3.4kB
       11
      7

      HTTP Request

      POST https://84.247.157.112:13783/api/admin.usergroups.addTeams

      HTTP Response

      502
    • 158.220.95.215:5242
      ctfmon.exe
      260 B
       5
    • 194.233.91.144:5000
      https://194.233.91.144:5000/api/admin.conversations.rename
      tls, http
      ctfmon.exe
      12.4kB
       3.7kB
       16
      11

      HTTP Request

      POST https://194.233.91.144:5000/api/admin.conversations.rename

      HTTP Response

      502
    • 213.199.41.33:13721
      https://213.199.41.33:13721/api/admin.teams.owners.list
      tls, http
      ctfmon.exe
      6.7kB
       3.5kB
       11
      8

      HTTP Request

      POST https://213.199.41.33:13721/api/admin.teams.owners.list

      HTTP Response

      502
    • 172.232.208.90:2223
      ctfmon.exe
      208 B
       4
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      4.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      4.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      218.110.86.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      218.110.86.104.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      144.91.233.194.in-addr.arpa
      dns
      73 B
       114 B
       1
      1

      DNS Request

      144.91.233.194.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      33.41.199.213.in-addr.arpa
      dns
      72 B
       113 B
       1
      1

      DNS Request

      33.41.199.213.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      214.95.220.158.in-addr.arpa
      dns
      73 B
       114 B
       1
      1

      DNS Request

      214.95.220.158.in-addr.arpa

    • 8.8.8.8:53
      112.157.247.84.in-addr.arpa
      dns
      73 B
       114 B
       1
      1

      DNS Request

      112.157.247.84.in-addr.arpa

    • 8.8.8.8:53
      131.72.42.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      131.72.42.20.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4260-2-0x00000000005B0000-0x00000000005CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4260-7-0x00000000005B0000-0x00000000005CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4728-0-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4728-1-0x0000000002400000-0x0000000002433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4728-10-0x0000000000740000-0x0000000000753000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4728-12-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4728-13-0x0000000002400000-0x0000000002433000-memory.dmp

      Filesize

      204KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.