Overview

overview

10

Static

static

1

887594ca6a...98.exe

windows7-x64

1

887594ca6a...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    887594ca6a20bf67064c0f2bf0db1246ab54236df3fadb7162ac8290d40b1798.exe

  • Size

    1.4MB

  • MD5

    2677fd95e54293517c0bc79fdd108f34

  • SHA1

    278e973250198ccfcd4789c8f4951e8d9fe1ff84

  • SHA256

    887594ca6a20bf67064c0f2bf0db1246ab54236df3fadb7162ac8290d40b1798

  • SHA512

    cf9a96fb75eb780b4111d48417d1d9a1373372e4a8a678a0acf1a2399d31a3d7e89b1088ab418860f95c4d1da5820c013fb94af45b2a2638b4d75ea253527de3

  • SSDEEP

    24576:63dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6L:FmYqHU7pHYY00VcCDdowG3tMa6L

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

109.199.99.131

154.38.175.241

23.226.138.143

23.226.138.161

145.239.135.24

178.18.246.136

141.95.106.106

104.129.55.105

57.128.165.176

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\887594ca6a20bf67064c0f2bf0db1246ab54236df3fadb7162ac8290d40b1798.exe
    "C:\Users\Admin\AppData\Local\Temp\887594ca6a20bf67064c0f2bf0db1246ab54236df3fadb7162ac8290d40b1798.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
        PID:2212
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 496
        2⤵
        • Program crash
        PID:3892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3648 -ip 3648
      1⤵
        PID:2168

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2212-1-0x00000000006B0000-0x00000000006C9000-memory.dmp
        Filesize

        100KB

        Download
      • memory/2212-6-0x00000000006B0000-0x00000000006C9000-memory.dmp
        Filesize

        100KB

        Download
      • memory/3648-0-0x0000000002310000-0x0000000002343000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3648-12-0x0000000002310000-0x0000000002343000-memory.dmp
        Filesize

        204KB

        Download