c5605d9911aa7c3308efe16370be500922f04189efe6389e13702181a6c44689

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 06:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MSI APP Player.exe
Size

1.1MB
MD5

5570243405835e8f74dded31569a7662
SHA1

e8f45e855f9e6c3137f57e8fe1a0cc661eccb89a
SHA256

c5605d9911aa7c3308efe16370be500922f04189efe6389e13702181a6c44689
SHA512

d79b447a4d0d6b17a93924cf90fe6a37cdd86e9cd0dc0b754904b79e364635712cb521364f2f798a5c71b1e06bbe3e3d6c0b5272447ecabd38344214254012c4
SSDEEP

24576:+ivtCX8jElikZ3NzhXV0Oy5zCsP2/KzmwpSeqZUjAiH8KT0fEy:rtCX8ol9XxV07zCumRKny

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MSI APP Player.exe

Executes dropped EXE 3 IoCs

pid	Process
2656	BlueStacksInstaller.exe
948	HD-CheckCpu.exe
4872	HD-CheckCpu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe
2656	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2656	4360	MSI APP Player.exe	85
PID 4360 wrote to memory of 2656	4360	MSI APP Player.exe	85
PID 2656 wrote to memory of 948	2656	BlueStacksInstaller.exe	87
PID 2656 wrote to memory of 948	2656	BlueStacksInstaller.exe	87
PID 2656 wrote to memory of 948	2656	BlueStacksInstaller.exe	87
PID 2656 wrote to memory of 4872	2656	BlueStacksInstaller.exe	89
PID 2656 wrote to memory of 4872	2656	BlueStacksInstaller.exe	89
PID 2656 wrote to memory of 4872	2656	BlueStacksInstaller.exe	89

C:\Users\Admin\AppData\Local\Temp\MSI APP Player.exe
"C:\Users\Admin\AppData\Local\Temp\MSI APP Player.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\backicon.png

Filesize
778B

MD5
bb32b6c0cb2fd3b9329f0813e1b4239d

SHA1
241b75e5e21aa3e7a6aae5066de65d65db49651f

SHA256
77533707194f691af85e6c990d852b949c09018378c8f9d87763b54b1c118f67

SHA512
e3aa89c3ba19f4d0a26fc6f3fd725c5201f3609b7e3f91bd8fa1fe95aa8cfdac5d684893ccac3e81b290ad241c048264d12bb1c6aa4b9646e604879b54bb9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\checked_gray.png

Filesize
659B

MD5
f5273eda49f641257ccb5fc5235cee80

SHA1
ac2f52d7a0b34facc5cebf4745fb72e15c0e5c8d

SHA256
fc88b72393b58799ad747a988b76c1b9d8ce3dbaedfd0463e74d6a33be0878b6

SHA512
95457d926dbb7dbcd7c5b30fe6ec45634ab7c0f3dbd5820c8956d21d33a0f5feddc36e0d52d40abbb8b0ba07c005e4594dd56dab1cb278ee3104ec14d8ca921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\close_red.png

Filesize
1KB

MD5
3759fdf92c29556e5740a6282507e1f9

SHA1
23960cb0edd610083edd8f817c03add5e883453d

SHA256
8cd75e91be69cf7cc6e6979c14b394a11fe683be7b62d5163da1073bb568b7d9

SHA512
d0773ead77552514a2cd7fd7e55abe730579b4fab24981eb976ac43a821fc5a06ae02626e48dff83a58acb37db23d5527444faf5d4b7cb2fc78df33b065b80d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\close_red_click.png

Filesize
1KB

MD5
955cd2c28a755d5488987eebbf36b1b3

SHA1
3410385e88c9a7874fb69d677b5a5b505e83e721

SHA256
d2a45b8d92ddd7f4c6a9a21f22936fba0a2ffac101efeb98b9b14810de09fba0

SHA512
56f5cc10d1905e0bce0a1257054838d4e9575816dfe8b7ed7d35a5e623f7741f1d6df93e813149e11bee34ee7765802cea95e806aea0078c355cb4272d8e697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\close_red_hover.png

Filesize
883B

MD5
dd9e35ede730f30e85538e20525a8468

SHA1
cfc8335e766beabd46293d3c47eff04ae1a62360

SHA256
0b1d12bce748cdab6fb9550278e60eb993d74bf9ae877995c68099c3cda68a8a

SHA512
4d68bb75d51db32748aed70d19c5bcb68e1f1d047702ab48130f6105c27b751a47ad2c2ae9b96deef2966230cf9fc27342030bedf638b1d23ab24847bd05a9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\custom.png

Filesize
580B

MD5
07c7f00c7498d32e8045c1a0eda0727d

SHA1
bebf52df35cf5a95dd6ff5da778b83c5eafeb052

SHA256
8eaab641d186f93f50d2d2bbae6ac5b3c937ca30665bf916321a35c83253eca3

SHA512
142752b1ab40a23f654293a15e075321020322fc0f19efdab93e69716cc0ff5dc2148a83f7db149b7dcd8c30b7f542c0f89ac52bd50470e756b07b00ec78f5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\installer_bg.jpg

Filesize
353KB

MD5
49875ca1499a58b4ca9abda4d34adea5

SHA1
091155113dd5cf955211fd7a932ecba32f8bf136

SHA256
15bde105d61a562560d354614e0254dc4259000d8f610b32be8a965bf26829ca

SHA512
08cf0ce98b4c31f5879789f9458f14526fa3483096efd5feeca0f9b477456d80eb542a1e2f5823593e6d7d4d9d106bae0a7a7f096bacb638ee6fcfc67e13623a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\installer_logo.png

Filesize
19KB

MD5
7ad11e07d8f30571debb2a69f77833c2

SHA1
6351d8968889c6a636abafa2a989b788fd477822

SHA256
fe59d96de7342bcbfea62564e92d8e27530fc52c16399399be5f1d6c45340246

SHA512
7bc37d326a0d0fcf80231b2e69f3491f7ea8a714fa70b91d5606f9a03054b2c9113b4caf5bb5c980f53c5c73a769a11d1634660cd7c1e1e213124d6b55b2fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\installer_minimize.png

Filesize
157B

MD5
857bcef475b0d4c1d669bf47a143e85e

SHA1
072746be2f79c9571ec9b7e3b702a8cdef5a2b66

SHA256
8e6e37b79756bfebb943d51d3571926fe4992748c4a673bbb6d78b22e87bc7f6

SHA512
b7e236edefe3f4aceefd912f2b6cfcecee034125ff082d3bac5fdf6db57c89dc2dfb4a96897529aed8834a423529680cc0ba1c94d497eb8d9c4f450ff70cf79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\setpath.png

Filesize
355B

MD5
f4c65de79fb292fd6104eb1a160ca09b

SHA1
52173df03e93433d88b50ebcd7d3bdbc32bd4165

SHA256
9ea14db4e8d39be52c9b55a39119d5f95dc331a0559d38de44fd8e72e8677718

SHA512
db4bca2ed5582efe9ca27ec67bff59ed2a66c471dc4e4247818e3b79838b57a00cd69d92b709c3a7e0628d7c9e9508335aff877279d30741de18226f0626dced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Assets\unchecked_gray.png

Filesize
321B

MD5
8b3031b63549708b7ef422da8dfc42a5

SHA1
46407a76af6ac9887a15bd682533922c4b2d09da

SHA256
8355a9b447991ed53c3e1c768f397b622f9535faadb26913e4f2298cc3621c5c

SHA512
97b2fe161483b90abafc0bff3e4839f357aa3c0765b1d5d54e5210fcd9d543480eb4ff3671f2706def344ccc83548fe8d064b9ba1bb15abae9e718b87b91298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe

Filesize
576KB

MD5
25672929ecf0e64bcdbd89d6d5df7785

SHA1
b5310cecad2d88ec92df716ebe34251e720f6adc

SHA256
446345af3cc6537997659c227e52a990cf085d9805433ac80fb386057c17382d

SHA512
fb48c6769a9244b246dde0264039e5d68c4ab9b45fe40a7cfe337dbf6c4bdda02e4e75214b680da4f0bcbec6179ebc5b307ca289ce855c144f03c34a63633102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe

Filesize
576KB

MD5
25672929ecf0e64bcdbd89d6d5df7785

SHA1
b5310cecad2d88ec92df716ebe34251e720f6adc

SHA256
446345af3cc6537997659c227e52a990cf085d9805433ac80fb386057c17382d

SHA512
fb48c6769a9244b246dde0264039e5d68c4ab9b45fe40a7cfe337dbf6c4bdda02e4e75214b680da4f0bcbec6179ebc5b307ca289ce855c144f03c34a63633102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe

Filesize
576KB

MD5
25672929ecf0e64bcdbd89d6d5df7785

SHA1
b5310cecad2d88ec92df716ebe34251e720f6adc

SHA256
446345af3cc6537997659c227e52a990cf085d9805433ac80fb386057c17382d

SHA512
fb48c6769a9244b246dde0264039e5d68c4ab9b45fe40a7cfe337dbf6c4bdda02e4e75214b680da4f0bcbec6179ebc5b307ca289ce855c144f03c34a63633102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\Locales\i18n.en-US.txt

Filesize
14KB

MD5
d6ea93131e5a355199e1971251644960

SHA1
ba2fe9a990d79aed9218528449ee7edff2b76b06

SHA256
00fdd7e83dd77a977506aef679eb73b7d127e05207e08af51b6a88b9b10d631a

SHA512
0b978b510f01c108de079b92354b0fc7e7e05d1fbdfd73f60dc0ab2228daee34df4486c344bd7f80a213bce489dfd466362ec7113d3d713f2fa3d6a94227d4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS801C2936\ThemeFile

Filesize
78KB

MD5
710068e25bcd44649dedcadce58654c8

SHA1
d6b0655b96c2e05614f6b7f70af9c60134989699

SHA256
a30b83e8c303d0a7f6fd9301a95795325f4d6b519adcd73301ff1f3e03caec35

SHA512
f8a749d87cafbe043ed84f4227634da8411fe6bc024e0ee6b875a40bc679fa3a66c1e6bf97ab574c40014b2fdad2c76616e8307d485d10c7555c9d870d17f161

Download Submit
memory/2656-255-0x000000001E0F0000-0x000000001E618000-memory.dmp

Filesize
5.2MB

Download
memory/2656-263-0x0000000020A30000-0x0000000020A3E000-memory.dmp

Filesize
56KB

Download
memory/2656-262-0x0000000020A60000-0x0000000020A98000-memory.dmp

Filesize
224KB

Download
memory/2656-276-0x00000000220E0000-0x00000000220E8000-memory.dmp

Filesize
32KB

Download
memory/2656-261-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-278-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-279-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-280-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-281-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-282-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-256-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-251-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/2656-250-0x000000001D010000-0x000000001D078000-memory.dmp

Filesize
416KB

Download
memory/2656-248-0x00000000009E0000-0x0000000000A74000-memory.dmp

Filesize
592KB

Download