5ed97453be92c324567e6d0baf4bc7d001b5925e71ad957e495463893ed1af1d

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Karaoke Player.exe
Size

1.4MB
MD5

67af1b28b6f88d0034fbe1d5c6174240
SHA1

10f0e5eb56c4ddd4dbbdc7bb210b619683841d38
SHA256

1d428f44d92b40ccf5d71f0ceeaa1679e10bd9dbf74b5ae7c51d292920bb543a
SHA512

792013a6f5eb67f5cd2c0a608c6897c76d24f2c203995b33bea75fa0c1d69f5abe1b803e28a42d3376de09679d11a9b85e7e4214b52da6a08db0ee992257f15e
SSDEEP

24576:M0T2vebca8z0/YQmrp0T2vebca8z0/HR2j1tIljX842GCnv9uM3kQYYjkub:92ixvYTrg2ixvHRiiX842GCnv8EkQYYx

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2944	Regsvr32.exe
1636	Regsvr32.exe
1800	Karaoke Player.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Karaoke Player.exe
File opened (read-only)	\??\I:	Karaoke Player.exe
File opened (read-only)	\??\K:	Karaoke Player.exe
File opened (read-only)	\??\L:	Karaoke Player.exe
File opened (read-only)	\??\O:	Karaoke Player.exe
File opened (read-only)	\??\S:	Karaoke Player.exe
File opened (read-only)	\??\U:	Karaoke Player.exe
File opened (read-only)	\??\H:	Karaoke Player.exe
File opened (read-only)	\??\M:	Karaoke Player.exe
File opened (read-only)	\??\R:	Karaoke Player.exe
File opened (read-only)	\??\A:	Karaoke Player.exe
File opened (read-only)	\??\G:	Karaoke Player.exe
File opened (read-only)	\??\W:	Karaoke Player.exe
File opened (read-only)	\??\Z:	Karaoke Player.exe
File opened (read-only)	\??\T:	Karaoke Player.exe
File opened (read-only)	\??\X:	Karaoke Player.exe
File opened (read-only)	\??\B:	Karaoke Player.exe
File opened (read-only)	\??\E:	Karaoke Player.exe
File opened (read-only)	\??\J:	Karaoke Player.exe
File opened (read-only)	\??\N:	Karaoke Player.exe
File opened (read-only)	\??\P:	Karaoke Player.exe
File opened (read-only)	\??\Q:	Karaoke Player.exe
File opened (read-only)	\??\Y:	Karaoke Player.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AlphaDIB.dll	Karaoke Player.exe
File opened for modification	C:\Windows\SysWOW64\AlphaDIB.dll	Karaoke Player.exe
File created	C:\Windows\SysWOW64\dx7vb.dll	Karaoke Player.exe
File opened for modification	C:\Windows\SysWOW64\dx7vb.dll	Karaoke Player.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\KpSetDate.ini	Karaoke Player.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{556CF2F8-C867-407A-8663-0F6D11ECDFA5}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F244642D-E67F-4D61-886A-8E58594E90DB}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mp3Play.Mp3PlayCtrl.1	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22005FBF-3C18-4CBF-B473-3E27C1643E9A}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D467C75-15E4-456E-A127-5727E0B91A06}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2BAFF457-D4A7-4C68-B96B-AE0DD37E4BF6}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FCB69DC-57E4-46DB-805F-E3E747F6D012}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F244642D-E67F-4D61-886A-8E58594E90DB}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC0F04F3-8681-4F38-A647-251F2DB40CC4}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\HELPDIR\	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60819407-3CCE-11D2-A800-008048E89E3E}\TypeLib\ = "{60819404-3CCE-11D2-A800-008048E89E3E}"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C02F02E3-3B0B-4944-86AC-0F72330D59E6}\ = "_cBitmap"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2785BCD-069F-481D-85ED-13C0BC18E4A5}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76F4D4AA-16B2-48C3-877A-3658E914B6B8}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RICHTX32.OCX"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAEACA6B-7EF9-4256-8B0A-28DB58C0CE0A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C368CE04-C49C-4CFC-B084-016158BFA848}\VERSION	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COMDLG32.OCX"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B00B10D-6EF0-11D1-A6AA-0020AFE4DE54}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mp3Play.ocx"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FBD0810B-66C1-4CDD-B04B-CFB636A3B8E7}\ = "__cScrollBar"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{932A6F7A-E710-4BF1-B469-AB5B5F61474D}\ProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7833E9D1-FC56-45D6-B76D-8EBBDE077F82}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAEACA6B-7EF9-4256-8B0A-28DB58C0CE0A}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{077843BD-79F8-435B-8065-FA96B69499CD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7262EB07-AF04-4D8F-9966-05ED6E36C657}\InprocServer32\ = "C:\\Windows\\SysWow64\\AlphaDIB.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC130FB0-7B69-4097-9C98-4BB437AB62BC}\TypeLib\Version = "7.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B529BA3-A659-4B2C-9A8F-8980F102886C}\TypeLib\Version = "7.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{619D367B-5E1C-4146-8D76-A183336FEC66}\ = "_cImageProcessDIB"	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.cDIBSectionSave	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7833E9D1-FC56-45D6-B76D-8EBBDE077F82}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34BDA848-2C36-40C4-8076-6AC28F2A3297}\TypeLib\Version = "7.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F244642D-E67F-4D61-886A-8E58594E90DB}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F90FA753-BAEF-4A73-83FA-C90CE796D419}\VERSION	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.IWindowsHook\ = "AlphaDIB.IWindowsHook"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFBEC4C6-839E-11D1-85FE-0020AFE4DE54}	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D467C75-15E4-456E-A127-5727E0B91A06}\ = "_cCommonDialog"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3582C51-3121-4E10-B7DC-EDFD4D8F21AE}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E15FE4C0-8EA1-4CE7-8309-38F29595D0D5}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34BDA848-2C36-40C4-8076-6AC28F2A3297}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFEC2C61-6343-416F-80DD-DC3B2E8B3117}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF177B1D-80F6-4FFA-B8B5-4A915977FB36}\ProxyStubClsid	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Version	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B00B10A-6EF0-11D1-A6AA-0020AFE4DE54}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mp3Play.ocx"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FFBEC4C3-839E-11D1-85FE-0020AFE4DE54}\1.0\FLAGS	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB6D2F18-6677-4646-8FE4-2361805CA252}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.cPalette\ = "256 Colors Dib Section Palette Class"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60819405-3CCE-11D2-A800-008048E89E3E}\ = "_DEffect"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFEC2C61-6343-416F-80DD-DC3B2E8B3117}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB6D2F18-6677-4646-8FE4-2361805CA252}\ = "Keyboard/Accelerator Class. Important!\nInit(hwnd) -> (AddAccelerator) -> Enabled=True!"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{077843BD-79F8-435B-8065-FA96B69499CD}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA8553CE-E4A9-4132-A316-EA24DEBFB7CA}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7DF1A90-7546-41BE-B0F9-4F26A7DA6D8A}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D958ECAE-0410-462B-BF2D-0FAB473F32CE}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22005FBF-3C18-4CBF-B473-3E27C1643E9A}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{060F4642-855F-4380-92CC-05B2EF76CABB}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{932A6F7A-E710-4BF1-B469-AB5B5F61474D}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7833E9D1-FC56-45D6-B76D-8EBBDE077F82}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22005FBF-3C18-4CBF-B473-3E27C1643E9A}\TypeLib\Version = "7.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26981441-2430-426A-8977-F1D5591203EF}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69C1E8A9-EA24-4363-B12F-E395144C51F9}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1800	Karaoke Player.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1800	Karaoke Player.exe
1800	Karaoke Player.exe
1800	Karaoke Player.exe
1800	Karaoke Player.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 2944	1800	Karaoke Player.exe	28
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29
PID 1800 wrote to memory of 1636	1800	Karaoke Player.exe	29

C:\Users\Admin\AppData\Local\Temp\Karaoke Player.exe
"C:\Users\Admin\AppData\Local\Temp\Karaoke Player.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s "C:\Windows\system32\AlphaDIB.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2944
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s "C:\Windows\system32\dx7vb.dll"
  2⤵
  - Loads dropped DLL
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AlphaDIB.dll

Filesize
740KB

MD5
08f61aa236190c5ae82ac2025312fc67

SHA1
17561c1bc8526a14e19168ac2e72000874250e40

SHA256
45d06642016f4037ae707a1ed07546cdfa679ab96b9bb2c808b8c846334a7a88

SHA512
057ab52f42c2678cd4597cbd1df39e43809c00420a0086a11d812cf7e7e0f85feb75fe818cf7ce5f70a518589200caa4e2b27b41cb9c8de3ba418e468328c85f

Download Submit
C:\Windows\SysWOW64\dx7vb.dll

Filesize
604KB

MD5
6cae2684d2d48c68b508f494c44a88a3

SHA1
f7cd95b1cea79dc5a861cb8a18244b34a1bd0b38

SHA256
d8e1d644db690b5169a1deba1697d3fb3a93e2bfbc56c6ff6ed564d5022cd9d6

SHA512
d836578e50a54eb05b5bef1fd993cd494432860b3c408c0b099a213d107fa07951aee83ffdd8f782753538a5f7f4f9ac055d96e07fcf27b9fe8cb11a1824d505

Download Submit
memory/1800-3-0x0000000005920000-0x0000000005941000-memory.dmp

Filesize
132KB

Download
memory/1800-7-0x0000000005980000-0x00000000059CB000-memory.dmp

Filesize
300KB

Download