Analysis
-
max time kernel
40s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 18:53
Static task
static1
General
-
Target
JXC.exe
-
Size
1.4MB
-
MD5
20990f6ff64d31077fec22f640e7b67b
-
SHA1
9053e89a6d12f01aafe4d793065db6879168cba6
-
SHA256
a9677832e0b19aab863d243aec2245a0be5d916477bd58ae10b8674b912161b2
-
SHA512
5ed6de42e83525cb8d47b7ba195b2b5106c4efdf8fbe00da55d58b95c5c81a0a02846c544073390847806ad36ab3d288041548b4b1bc7b8cd437e5c0dcf8d03b
-
SSDEEP
24576:m3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6Z:BmYqHU7pHYY00VcCDdowG3tMa6Z
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2820 4136 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JXC.exe"C:\Users\Admin\AppData\Local\Temp\JXC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵PID:2732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 4922⤵
- Program crash
PID:2820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 41361⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3716