Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
HJ.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
General
-
Target
HJ.exe
-
Size
1.4MB
-
MD5
7a36e1ebf13b1950a75851bd95c6aabd
-
SHA1
68684e8fa82045bef1e132e0d4d9d215d4483c8f
-
SHA256
8eab535445ef91400fa8776ac3cef4f06c71a60832b8699db1fbccf8aacd5806
-
SHA512
0cd409b60d982cc549a91d9c7dd2b2b78ef169e0dbb0374f384cd8240cdc2078d29b6276d20994de1bbefffe499268b8941df87f00629b30ba8727f2f786dc0c
-
SSDEEP
24576:u3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6N:JmYqHU7pHYY00VcCDdowG3tMa6N
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
HJ.exedescription pid process target process PID 3500 set thread context of 1532 3500 HJ.exe ctfmon.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4828 3500 WerFault.exe HJ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HJ.exepid process 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe 3500 HJ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
HJ.exepid process 3500 HJ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HJ.exedescription pid process target process PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe PID 3500 wrote to memory of 1532 3500 HJ.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HJ.exe"C:\Users\Admin\AppData\Local\Temp\HJ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3500 -ip 35001⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-1-0x0000000000A40000-0x0000000000A59000-memory.dmpFilesize
100KB
-
memory/1532-6-0x0000000000A40000-0x0000000000A59000-memory.dmpFilesize
100KB
-
memory/3500-0-0x00000000007B0000-0x00000000007E3000-memory.dmpFilesize
204KB
-
memory/3500-12-0x00000000007B0000-0x00000000007E3000-memory.dmpFilesize
204KB