5ed97453be92c324567e6d0baf4bc7d001b5925e71ad957e495463893ed1af1d

Analysis

max time kernel
52s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Karaoke Player.exe
Size

1.4MB
MD5

67af1b28b6f88d0034fbe1d5c6174240
SHA1

10f0e5eb56c4ddd4dbbdc7bb210b619683841d38
SHA256

1d428f44d92b40ccf5d71f0ceeaa1679e10bd9dbf74b5ae7c51d292920bb543a
SHA512

792013a6f5eb67f5cd2c0a608c6897c76d24f2c203995b33bea75fa0c1d69f5abe1b803e28a42d3376de09679d11a9b85e7e4214b52da6a08db0ee992257f15e
SSDEEP

24576:M0T2vebca8z0/YQmrp0T2vebca8z0/HR2j1tIljX842GCnv9uM3kQYYjkub:92ixvYTrg2ixvHRiiX842GCnv8EkQYYx

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4452	Regsvr32.exe
2848	Regsvr32.exe
3724	Karaoke Player.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Karaoke Player.exe
File opened (read-only)	\??\P:	Karaoke Player.exe
File opened (read-only)	\??\Q:	Karaoke Player.exe
File opened (read-only)	\??\T:	Karaoke Player.exe
File opened (read-only)	\??\V:	Karaoke Player.exe
File opened (read-only)	\??\G:	Karaoke Player.exe
File opened (read-only)	\??\J:	Karaoke Player.exe
File opened (read-only)	\??\M:	Karaoke Player.exe
File opened (read-only)	\??\X:	Karaoke Player.exe
File opened (read-only)	\??\W:	Karaoke Player.exe
File opened (read-only)	\??\A:	Karaoke Player.exe
File opened (read-only)	\??\K:	Karaoke Player.exe
File opened (read-only)	\??\N:	Karaoke Player.exe
File opened (read-only)	\??\Z:	Karaoke Player.exe
File opened (read-only)	\??\B:	Karaoke Player.exe
File opened (read-only)	\??\E:	Karaoke Player.exe
File opened (read-only)	\??\S:	Karaoke Player.exe
File opened (read-only)	\??\R:	Karaoke Player.exe
File opened (read-only)	\??\U:	Karaoke Player.exe
File opened (read-only)	\??\Y:	Karaoke Player.exe
File opened (read-only)	\??\H:	Karaoke Player.exe
File opened (read-only)	\??\I:	Karaoke Player.exe
File opened (read-only)	\??\L:	Karaoke Player.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AlphaDIB.dll	Karaoke Player.exe
File opened for modification	C:\Windows\SysWOW64\AlphaDIB.dll	Karaoke Player.exe
File created	C:\Windows\SysWOW64\dx7vb.dll	Karaoke Player.exe
File opened for modification	C:\Windows\SysWOW64\dx7vb.dll	Karaoke Player.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\KpSetDate.ini	Karaoke Player.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFBEC4C4-839E-11D1-85FE-0020AFE4DE54}\ = "_DMp3Enc"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34BDA848-2C36-40C4-8076-6AC28F2A3297}\ = "_clsSysTray"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.IOwnerDrawButton\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.cScrollBar\ = "AlphaDIB.cScrollBar"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5678F511-22CA-4E88-97D5-06480CE9AC1D}\VERSION	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1919A3D-4620-4643-9534-4E1D8B456E22}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8226B2F0-D473-4C5E-94C1-5E5C4B6ED512}\ = "_cPalette"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAEACA6B-7EF9-4256-8B0A-28DB58C0CE0A}\TypeLib\Version = "7.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{619D367B-5E1C-4146-8D76-A183336FEC66}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{047FF39C-80C9-4F5E-800D-635EF4C63A36}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F2996E1-BB8B-46A9-B72A-B14CEA21A806}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5678F511-22CA-4E88-97D5-06480CE9AC1D}\VERSION\ = "7.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\TypeLib	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B00B10D-6EF0-11D1-A6AA-0020AFE4DE54}\ = "Dialog-Medien Mp3Play Control"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18B6853C-7AF7-466F-A9E3-00E617DDF083}\InprocServer32\ = "C:\\Windows\\SysWow64\\AlphaDIB.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7DF1A90-7546-41BE-B0F9-4F26A7DA6D8A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ = "ITreeViewEvents"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C02F02E3-3B0B-4944-86AC-0F72330D59E6}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2785BCD-069F-481D-85ED-13C0BC18E4A5}\ProxyStubClsid	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ = "ITreeView"	Karaoke Player.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B00B10D-6EF0-11D1-A6AA-0020AFE4DE54}	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFBEC4C5-839E-11D1-85FE-0020AFE4DE54}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C7BD216-F558-41B3-B16A-34C832DB214C}\TypeLib\ = "{8392AEE0-DA0B-40F7-A296-C4C5A6937B28}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77D32DB4-F032-4C17-A4D4-02379214F723}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\TypeLib	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CLSID	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.SBarCtrl"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E7CFDF-240E-4B01-BB78-5CFD895B4467}\ = "_clsHwnd"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D467C75-15E4-456E-A127-5727E0B91A06}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEE04923-F414-4EF1-9E42-949F71C8B347}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23325226-DB03-4112-B6ED-2D3B0DBA712C}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\InprocServer32	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ThreadingModel = "Apartment"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC130FB0-7B69-4097-9C98-4BB437AB62BC}\TypeLib\Version = "7.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2BAFF457-D4A7-4C68-B96B-AE0DD37E4BF6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6FD63FF-9A04-405B-B8E5-9E265C6C60A0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAEACA6B-7EF9-4256-8B0A-28DB58C0CE0A}\ = "__cPalette"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSCOMCTL.OCX"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}\InprocServer32	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}	Karaoke Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62032854-5345-4C30-82E5-A02C6FDA9DA3}\Implemented Categories	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A27BF6D1-5AC9-4CA7-B88F-C2139841E7A5}\ = "AlphaDIB.clsString"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7262EB07-AF04-4D8F-9966-05ED6E36C657}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ = "IColumnHeader"	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B38434C2-277B-425E-8F76-928FF6FC5111}\ = "cColourReduceDIB"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1211353-8E94-11D1-8808-00C04FC2C602}\VersionIndependentProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EB2E8A9-1501-4E7F-8B90-DC00C28DF943}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AlphaDIB.cProgressBar	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib	Karaoke Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60819406-3CCE-11D2-A800-008048E89E3E}\TypeLib\ = "{60819404-3CCE-11D2-A800-008048E89E3E}"	Karaoke Player.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3724	Karaoke Player.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3724	Karaoke Player.exe
Token: SeCreatePagefilePrivilege	3724	Karaoke Player.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3724	Karaoke Player.exe
3724	Karaoke Player.exe
3724	Karaoke Player.exe
3724	Karaoke Player.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 4452	3724	Karaoke Player.exe	82
PID 3724 wrote to memory of 4452	3724	Karaoke Player.exe	82
PID 3724 wrote to memory of 4452	3724	Karaoke Player.exe	82
PID 3724 wrote to memory of 2848	3724	Karaoke Player.exe	83
PID 3724 wrote to memory of 2848	3724	Karaoke Player.exe	83
PID 3724 wrote to memory of 2848	3724	Karaoke Player.exe	83

C:\Users\Admin\AppData\Local\Temp\Karaoke Player.exe
"C:\Users\Admin\AppData\Local\Temp\Karaoke Player.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s "C:\Windows\system32\AlphaDIB.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4452
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s "C:\Windows\system32\dx7vb.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x4b0
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Windows\SysWOW64\AlphaDIB.dll

Filesize
740KB

MD5
08f61aa236190c5ae82ac2025312fc67

SHA1
17561c1bc8526a14e19168ac2e72000874250e40

SHA256
45d06642016f4037ae707a1ed07546cdfa679ab96b9bb2c808b8c846334a7a88

SHA512
057ab52f42c2678cd4597cbd1df39e43809c00420a0086a11d812cf7e7e0f85feb75fe818cf7ce5f70a518589200caa4e2b27b41cb9c8de3ba418e468328c85f

Download Submit
C:\Windows\SysWOW64\dx7vb.dll

Filesize
604KB

MD5
6cae2684d2d48c68b508f494c44a88a3

SHA1
f7cd95b1cea79dc5a861cb8a18244b34a1bd0b38

SHA256
d8e1d644db690b5169a1deba1697d3fb3a93e2bfbc56c6ff6ed564d5022cd9d6

SHA512
d836578e50a54eb05b5bef1fd993cd494432860b3c408c0b099a213d107fa07951aee83ffdd8f782753538a5f7f4f9ac055d96e07fcf27b9fe8cb11a1824d505

Download Submit
memory/3724-13-0x0000000008A20000-0x0000000008A83000-memory.dmp

Filesize
396KB

Download
memory/3724-17-0x0000000008A90000-0x0000000008AB1000-memory.dmp

Filesize
132KB

Download
memory/3724-21-0x0000000008AC0000-0x0000000008B0B000-memory.dmp

Filesize
300KB

Download