Overview

overview

10

Static

static

1

pica.exe

windows7-x64

10

pica.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    275d3ee9353b7a6061c2fc0582d0a9b209ef04c761668224ca7bf63483f9521f

  • Size

    2.2MB

  • Sample

    250217-t1vhpazrc1

  • MD5

    86eb7ac6ee390aa1c07d4bc780b42a8f

  • SHA1

    6851be7b2ddc1311a9b3001676c90d9cdce843f9

  • SHA256

    275d3ee9353b7a6061c2fc0582d0a9b209ef04c761668224ca7bf63483f9521f

  • SHA512

    636050ba9e601fb1122430f05a1976bc2f4851bb15aeb79d6529ab5353e4b4754c5f0f4cb9a5cdc594cdd59a131b915ded304b2db4c23bd8b19080bae34471cc

  • SSDEEP

    49152:4z4ssKKlbM+3P+CWo616eRoqFV3UVGb5N6jLliLBJoaSX32:4bKy+3GC6dRHFZfbXSa62

Score
10/10
sectopratadwarediscoverypersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Targets

    • Target

      pica.exe

    • Size

      40.0MB

    • MD5

      30ad2c460bec3cec4078de57849e76c8

    • SHA1

      86455b67f56495bbb5efa2bf19b4824c77e432b4

    • SHA256

      aabac842ff753a562b44874af5a849db7df6c1d79678c2c5e746aa3c9ade35c3

    • SHA512

      e873e4b2d7ca5df411efa2e3a13159387ad419050bf6d64e0a8151763aeb725446df3713deed736990693e916166093b05a6d74371d6516356feb169df854910

    • SSDEEP

      98304:rRq0X6DOzl4pysJwWVNUK1oiUf4EdbldN+VNQo:bXoysJwWXUKa4EvdmQo

    Score
    10/10
    sectopratdiscoveryratspywaretrojanadwarepersistenceprivilege_escalationstealer

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks