Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • submitted
    02-04-2024 13:33

General

  • Target

    dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll

Malware Config

Extracted

Family

pikabot

C2

https://154.53.55.165:13719

https://158.247.240.58:5688

https://70.34.223.164:5000

https://70.34.199.64:9785

https://45.77.63.237:5687

https://198.38.94.213:2224

https://94.72.104.80:5000

https://84.46.240.42:2083

https://154.12.236.248:13722

https://94.72.104.77:13724

https://209.126.86.48:1194

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

  • Pikabot family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\ctfmon.exe
        "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 628
        3⤵
        • Program crash
        PID:3708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
    1⤵
      PID:3992
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1848-0-0x0000000002D20000-0x0000000002D56000-memory.dmp

        Filesize

        216KB

      • memory/1848-12-0x0000000002D20000-0x0000000002D56000-memory.dmp

        Filesize

        216KB

      • memory/4372-1-0x00000000012C0000-0x00000000012D9000-memory.dmp

        Filesize

        100KB

      • memory/4372-6-0x00000000012C0000-0x00000000012D9000-memory.dmp

        Filesize

        100KB