Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
submitted
02-04-2024 13:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
General
Malware Config
Extracted
Family
pikabot
C2
https://154.53.55.165:13719
https://158.247.240.58:5688
https://70.34.223.164:5000
https://70.34.199.64:9785
https://45.77.63.237:5687
https://198.38.94.213:2224
https://94.72.104.80:5000
https://84.46.240.42:2083
https://154.12.236.248:13722
https://94.72.104.77:13724
https://209.126.86.48:1194
Signatures
-
Pikabot family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1848 set thread context of 4372 1848 rundll32.exe 97 -
Program crash 1 IoCs
pid pid_target Process procid_target 3708 1848 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1848 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 1848 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4104 wrote to memory of 1848 4104 rundll32.exe 93 PID 4104 wrote to memory of 1848 4104 rundll32.exe 93 PID 4104 wrote to memory of 1848 4104 rundll32.exe 93 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97 PID 1848 wrote to memory of 4372 1848 rundll32.exe 97
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#12⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"3⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 6283⤵
- Program crash
PID:3708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 18481⤵PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:756