General
-
Target
karaoke5.exe
-
Size
180.7MB
-
Sample
241011-q65zts1alk
-
MD5
8d2bdf55315f0be3e666145498d2ce3e
-
SHA1
574ca6cc08ad1b774d082f85434518c6d5159250
-
SHA256
8cbae35dac51d159a39f944c43e19501ff9fb1c9b4dc701034854358966a6ffc
-
SHA512
2af85393532b8e6816f9a72859e93c38eedd04c5740ec8cfd65ff2eea79c5b5e99fa1648cededb0318f2b00f6c80f458c7822cb0c66012ce10a066cc3e9b4726
-
SSDEEP
3145728:63M8aju2kDIU2mMtnPBACvGeVom9jd+xAlSzy6vdQhMDeljwJPQs+4SSxlU+JN/U:TZuTDIVmAACvyKcx9zygdCiKwJ4CSS/U
Malware Config
Targets
-
-
Target
karaoke5.exe
-
Size
180.7MB
-
MD5
8d2bdf55315f0be3e666145498d2ce3e
-
SHA1
574ca6cc08ad1b774d082f85434518c6d5159250
-
SHA256
8cbae35dac51d159a39f944c43e19501ff9fb1c9b4dc701034854358966a6ffc
-
SHA512
2af85393532b8e6816f9a72859e93c38eedd04c5740ec8cfd65ff2eea79c5b5e99fa1648cededb0318f2b00f6c80f458c7822cb0c66012ce10a066cc3e9b4726
-
SSDEEP
3145728:63M8aju2kDIU2mMtnPBACvGeVom9jd+xAlSzy6vdQhMDeljwJPQs+4SSxlU+JN/U:TZuTDIVmAACvyKcx9zygdCiKwJ4CSS/U
Score10/10-
UAC bypass
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Legitimate hosting services abused for malware hosting/C2
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Detected potential entity reuse from brand STEAM.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
1