4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b

Analysis

max time kernel
57s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
Size

13.3MB
MD5

3ce2f5712657e01d676cb0ae55739f0b
SHA1

e5f393f2cfc3b26888ded73a1f92656cbc7d3e9e
SHA256

4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b
SHA512

3fa28eb575ec71e23df4e298896673b2903b6c8ddaf731b074471d5b648cccdc0645b46e37a73288c00920df178bf6a6205611c7a32dea7ca2cf8387a4dda68b
SSDEEP

393216:hnHwKPD0KvRidhTR+T7N7T8/1aRq0m1U85FW:h0KvuJRA7N7Q/1cq3t+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	876	WScript.exe
4	876	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
600	Karaoke.exe
1032	krun.exe

Loads dropped DLL 8 IoCs

pid	Process
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\To\Zi\vismut.vbs	krun.exe
File opened for modification	C:\Program Files (x86)\Karaoke	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File opened for modification	C:\Program Files (x86)\Karaoke\Karaoke.exe	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File created	C:\Program Files (x86)\Karaoke\krun.exe	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\parlament.vbs	krun.exe
File opened for modification	C:\Program Files (x86)\To\Zi\mwerfwerwre.dff	krun.exe
File opened for modification	C:\Program Files (x86)\To\Zi\chisti_kaif.bat	krun.exe
File created	C:\Program Files (x86)\Karaoke\__tmp_rar_sfx_access_check_7088279	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File created	C:\Program Files (x86)\Karaoke\Karaoke.exe	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File opened for modification	C:\Program Files (x86)\Karaoke\krun.exe	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\ziiil.sa	krun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Karaoke.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
600	Karaoke.exe
600	Karaoke.exe
600	Karaoke.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 600	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	27
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1720 wrote to memory of 1032	1720	4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe	28
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1032 wrote to memory of 1460	1032	krun.exe	29
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 904	1460	cmd.exe	31
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32
PID 1460 wrote to memory of 876	1460	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe
"C:\Users\Admin\AppData\Local\Temp\4ea74f0ef7a8288dfd0f3d8513588363c9692c2ba904afca58df55a40c065e9b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Program Files (x86)\Karaoke\Karaoke.exe
  "C:\Program Files (x86)\Karaoke\Karaoke.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:600
- C:\Program Files (x86)\Karaoke\krun.exe
  "C:\Program Files (x86)\Karaoke\krun.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\To\Zi\chisti_kaif.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\To\Zi\parlament.vbs"
      4⤵
      Drops file in Drivers directory
      PID:904
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\To\Zi\vismut.vbs"
      4⤵
      Blocklisted process makes network request
      PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
C:\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
C:\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
C:\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
C:\Program Files (x86)\To\Zi\chisti_kaif.bat

Filesize
1KB

MD5
92e9f9f7d0f48e84fec05f5a3accd15c

SHA1
2f68cda3b9c01806d1b3257c2510c611d66d8acf

SHA256
72477c611b537d21f1ff581a817e3a8b1517ecd3008aae07afc5f0e3d0c49303

SHA512
30635b91584fb4fec19f59db9e5d56542d08be81aafda094cafdeee8d32544cd1f542b955a11c769ed6ba790b7fded345bd4a886d5499c7a73ae867914df7063

Download Submit
C:\Program Files (x86)\To\Zi\mwerfwerwre.dff

Filesize
49B

MD5
9e64da86ab11221587327da5af92711e

SHA1
5314bdcca69c3550d4bd2cb21d53b806a0b2b050

SHA256
b9d0736c78ebe8c9619fb2b74073b83572ae5cce97bb9c32ff8f4cc366b9b784

SHA512
f56ced30cd8def9c30a27c562059be33073e2cdf0a3de147cd798ba3770df47acdd4c93d231e4601e738484e28fbfc60855ef8d134a5089f89fba40cf4030b65

Download Submit
C:\Program Files (x86)\To\Zi\parlament.vbs

Filesize
1KB

MD5
a3925a7d27f20afa08138e6c2a6edbc7

SHA1
fcb58051e79bb773ec6cf072ad9f57617bfad4e4

SHA256
b3b99067b3b873410929bc1f6bb2539d16ed4cab22619a005d5fab711fea863e

SHA512
c95a85d4430b416f389cc6bef00f4eb54c25ba6d0d542edb4c4efdecee17d687bb03094940f2830ecff14ae73c9516e42968501b3e48a65126d2b7f97ae03d4f

Download Submit
C:\Program Files (x86)\To\Zi\vismut.vbs

Filesize
340B

MD5
71fa91e6aa616f9b7e5dbeb622c5e104

SHA1
d8b4447c07e013b1a8620e1757c6f7f7d038e2df

SHA256
422637a1017d62311afd80ab832830a6fdb9091ef3798ece520e2f62537f972d

SHA512
95f6ad4eb9d261da2dca4ed75b96bb2254e938fb388f1d82d71d2a1e68c150894e9784862fd1823d88086b3d916c83c5927f344c3c773158570c7792a55dfb5f

Download Submit
C:\Program Files (x86)\To\Zi\ziiil.sa

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
2ff28777babea67b0f1470f628989da6

SHA1
60346d2cb00165f88897acb3da547a0fc87cdc20

SHA256
343264ae09ecef46b8bae85795077b76fca90989f2ca23a49c78449a7dbafb80

SHA512
f87c7d1c5fc522f9021cc21ef0e2446a8b40b452f30d146348d0fef45cf8a4468e8bc34cabf7a15a949ffb8e46a1e847b40ec5ff1e17bfefe7a3705283e23549

Download Submit
\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
\Program Files (x86)\Karaoke\Karaoke.exe

Filesize
12.8MB

MD5
08091a2a9c5d51bb5d2dd1b4061d5aaf

SHA1
885d01f5cbb7408e8bfd6be0fae75f68b239b13b

SHA256
8be8da5f42800f4e37e414f19c21c107acd35e5564894cab76d50f0fcb8a8690

SHA512
602c6ad475d6503ca445f8c683d786dde2101d1ad4516d0835c6d6cdd870d91605b6582d52e315d7c55ec4f2ae1d0aeef844544c8caa3d9c108a678a6810ac47

Download Submit
\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
\Program Files (x86)\Karaoke\krun.exe

Filesize
116KB

MD5
d2999fb136ce5ee64bf9e0651698dc33

SHA1
dfc65f34f71367558036c8ea89dcd30b94aafe38

SHA256
9b7e9426d188132632d3f3a32893455118bb475df6c63d22b87f39182b90d363

SHA512
78d3aff2714e7374cbc92bc33ab554f3eccef0adb73f396346f3ca015ad2bbd3303fbfbb9797a3bd065bb3d29df5a2d287b4bdf21e9019c71661c43c4272fc8c

Download Submit
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download