Overview

overview

10

Static

static

3

dd2b6e3aa7...df.dll

windows7-x64

1

dd2b6e3aa7...df.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll

  • Size

    840KB

  • MD5

    bcc53210e13294cbd6a8172558d99295

  • SHA1

    02f78e1449ce844dc2807d850aab397d34ec35aa

  • SHA256

    dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf

  • SHA512

    c78653407e87f4cd28bef5b9f1571039948dfce2c771ae9c2357160d97c6596f640887bbf898001f251ae4c62f727e25a5adb2487b7b583c73bf5f3dc0f2dda2

  • SSDEEP

    24576:2e9nfmpSVmL+Cf72yb1SFEtEfPmY4uRD7HpUMhOw8ghE:lBmpSVmLfCDfPJ4cDFPhmghE

Score
10/10
pikabotbotnet

Malware Config

Extracted

Family

pikabot

C2

154.53.55.165

158.247.240.58

154.12.236.248

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\ctfmon.exe
        "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
        3⤵
          PID:4372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 628
          3⤵
          • Program crash
          PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
      1⤵
        PID:3992
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:756

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1848-0-0x0000000002D20000-0x0000000002D56000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1848-12-0x0000000002D20000-0x0000000002D56000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4372-1-0x00000000012C0000-0x00000000012D9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/4372-6-0x00000000012C0000-0x00000000012D9000-memory.dmp
          Filesize

          100KB

          Download