Overview

overview

10

Static

static

1

PianoScrap.exe

windows7_x64

10

PianoScrap.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PianoScrap.exe

  • Size

    84KB

  • Sample

    210627-b5l3ms3lss

  • MD5

    7bca14e2fe5de5d8b6008d5136b3836a

  • SHA1

    dc3fa497624ec58cd1e2f687b8246e817201b4d5

  • SHA256

    6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166

  • SHA512

    1ba56070522c9ec0200e6a35b4365847f176892f82cdb49af650a16f22d385962672acdc248a5cebb21598381c239544db86363e79c88c096638d5075b22ca63

Score
10/10
dcratzloaderbootkitbotnetdiscoveryevasioninfostealerpersistenceratspywarestealertrojanvmprotect

Malware Config

Targets

    • Target

      PianoScrap.exe

    • Size

      84KB

    • MD5

      7bca14e2fe5de5d8b6008d5136b3836a

    • SHA1

      dc3fa497624ec58cd1e2f687b8246e817201b4d5

    • SHA256

      6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166

    • SHA512

      1ba56070522c9ec0200e6a35b4365847f176892f82cdb49af650a16f22d385962672acdc248a5cebb21598381c239544db86363e79c88c096638d5075b22ca63

    Score
    10/10
    zloaderbootkitbotnetdiscoveryevasionpersistencespywarestealertrojandcratinfostealerratvmprotect

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

3
T1060

New Service

1
T1050

Modify Existing Service

1
T1031

Bootkit

1
T1067

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks