Analysis
-
max time kernel
40s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 18:53
Static task
static1
General
-
Target
JXC.exe
-
Size
1.4MB
-
MD5
20990f6ff64d31077fec22f640e7b67b
-
SHA1
9053e89a6d12f01aafe4d793065db6879168cba6
-
SHA256
a9677832e0b19aab863d243aec2245a0be5d916477bd58ae10b8674b912161b2
-
SHA512
5ed6de42e83525cb8d47b7ba195b2b5106c4efdf8fbe00da55d58b95c5c81a0a02846c544073390847806ad36ab3d288041548b4b1bc7b8cd437e5c0dcf8d03b
-
SSDEEP
24576:m3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6Z:BmYqHU7pHYY00VcCDdowG3tMa6Z
Malware Config
Extracted
Family
pikabot
C2
109.199.99.131
154.38.175.241
23.226.138.143
23.226.138.161
145.239.135.24
178.18.246.136
141.95.106.106
104.129.55.105
57.128.165.176
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2820 4136 WerFault.exe JXC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
JXC.exepid process 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe 4136 JXC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JXC.exe"C:\Users\Admin\AppData\Local\Temp\JXC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 41361⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2732-2-0x0000000000DC0000-0x0000000000DD9000-memory.dmpFilesize
100KB
-
memory/2732-7-0x0000000000DC0000-0x0000000000DD9000-memory.dmpFilesize
100KB
-
memory/4136-0-0x00000000022F0000-0x0000000002323000-memory.dmpFilesize
204KB
-
memory/4136-1-0x00000000022F0000-0x0000000002323000-memory.dmpFilesize
204KB
-
memory/4136-13-0x00000000022F0000-0x0000000002323000-memory.dmpFilesize
204KB