Overview
overview
7Static
static
3FreePiano/...no.exe
windows7-x64
1FreePiano/...no.exe
windows10-2004-x64
3FreePiano/...f2.dll
windows7-x64
1FreePiano/...f2.dll
windows10-2004-x64
1FreePiano/...p4.exe
windows7-x64
1FreePiano/...p4.exe
windows10-2004-x64
1FreePiano/...no.dll
windows7-x64
1FreePiano/...no.dll
windows10-2004-x64
1QWERTY/Mid...ty.exe
windows7-x64
1QWERTY/Mid...ty.exe
windows10-2004-x64
1QWERTY/SDL2.dll
windows7-x64
1QWERTY/SDL2.dll
windows10-2004-x64
1QWERTY/portmidi.dll
windows7-x64
1QWERTY/portmidi.dll
windows10-2004-x64
1setuploopbe1.exe
windows7-x64
7setuploopbe1.exe
windows10-2004-x64
7$PLUGINSDI...PI.dll
windows7-x64
1$PLUGINSDI...PI.dll
windows10-2004-x64
1$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...st.exe
windows7-x64
1$PLUGINSDI...st.exe
windows10-2004-x64
1$PLUGINSDI...e1.sys
windows7-x64
1$PLUGINSDI...e1.sys
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
FreePiano/freepiano.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
FreePiano/freepiano.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
FreePiano/plugins/plugin_sf2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
FreePiano/plugins/plugin_sf2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
FreePiano/plugins/plugin_xfmp4.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
FreePiano/plugins/plugin_xfmp4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
FreePiano/vsti/mdaPiano.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
FreePiano/vsti/mdaPiano.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
QWERTY/Midi to Qwerty.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
QWERTY/Midi to Qwerty.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
QWERTY/SDL2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
QWERTY/SDL2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
QWERTY/portmidi.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
QWERTY/portmidi.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
setuploopbe1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
setuploopbe1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/DIFxAPI.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/DIFxAPI.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/drvinst.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/drvinst.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/loopbe1.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/loopbe1.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
FreePiano/freepiano.exe
-
Size
1.3MB
-
MD5
0742c857b186d7178a6f13c16765086c
-
SHA1
082a0aebe67a8991a968972127d2ee8bad6bab1d
-
SHA256
f53c7cdf9fa04426f4e1100d7347d35eeb4fbd7c6795651412d229fa77ab8698
-
SHA512
d2d6877092dfb2483a0b9efa2b7774178185c9c477b66baaaf38b30b672f023008e2e8a2289f205f3c73ead24f5360b578f6a56100c9687422b060f1cb5c673d
-
SSDEEP
24576:GVGj/JdqXfc9NubYNr7dxGycjkUTZZWIDR7p35DNy09x/:GVGjhdjTWarBxGYUTbW0d57V
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 33 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} freepiano.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell freepiano.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ freepiano.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 freepiano.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 freepiano.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" freepiano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ freepiano.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2332 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2332 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3492 freepiano.exe 3492 freepiano.exe 3492 freepiano.exe 3492 freepiano.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FreePiano\freepiano.exe"C:\Users\Admin\AppData\Local\Temp\FreePiano\freepiano.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3492
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332