Overview

overview

10

Static

static

3

filename.exe

windows7-x64

3

filename.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filename.exe

  • Size

    1.4MB

  • MD5

    1db34920c3ae3eb8560695f89e92d930

  • SHA1

    531fea122037a7b503e0fcb42aa24382a9631ac8

  • SHA256

    569cf3de44279490ab8fe47d78ace6d5cbd6e6413be9d14316d31338eef12bdd

  • SHA512

    b311b876c06e8d056a06991a8ebbcfd56c47a0b5d72e5f6ac94a20546f5c7bb857b143d22a09649e630d2474dfe8b7c9115b102443fe12910969f55178a74336

  • SSDEEP

    24576:y0/wpWGxRsnyM3LF+0mlBnjs60nEisX1N9rm1Jo/13JQyjLc22dEaY7Unbya87CJ://wn0x3LFfmHnIZE9rm1Ji3hLc22dEa3

Score
10/10
pikabotbotnetdiscovery

Malware Config

Extracted

Family

pikabot

C2

https://23.226.138.161:5242

https://104.156.233.235:2226

https://108.61.78.17:13719

https://103.82.243.5:13721

https://37.60.242.85:9785

https://86.38.225.106:2221

https://154.201.81.8:2967

https://104.129.55.105:2223

https://43.229.78.74:2226

Signatures

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

    botnetpikabot
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filename.exe
    "C:\Users\Admin\AppData\Local\Temp\filename.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Windows\SysWOW64\ctfmon.exe
      "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3384-2-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3384-7-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3796-0-0x0000000002340000-0x0000000002373000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3796-1-0x0000000000660000-0x0000000000673000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3796-14-0x0000000002340000-0x0000000002373000-memory.dmp

    Filesize

    204KB

    Download