e76bd787522dd552ffdd17ba084742aab0867a9efb01a83a5469d52adf886002

Analysis

max time kernel
106s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacksMicroInstaller_4.90.0.8006_native.exe
Size

847KB
MD5

42b859558987266c2854f9b61641aee3
SHA1

11a08b07c81b5ef783a92ad3fd2d9c8738979f2c
SHA256

e76bd787522dd552ffdd17ba084742aab0867a9efb01a83a5469d52adf886002
SHA512

f805a7a30fc655f4d1c552b09abae34dd01bb8c5146f2601c0f65c2983a4e2827d5b1c218251dbfec89749411b1a86d7128784b2176e71dc0883622e49d6f2ea
SSDEEP

24576:McVkKS/WtWrnngnnnKnanxNpGKmAVMbfubq7gJHaLIT:McB6WErnngnnnKnanzIDAVyfg1J6Lg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	BlueStacksMicroInstaller_4.90.0.8006_native.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
528	BlueStacksInstaller.exe
1348	BlueStacksInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
528	BlueStacksInstaller.exe
1348	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	BlueStacksInstaller.exe
Token: SeDebugPrivilege	1348	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 528	1852	BlueStacksMicroInstaller_4.90.0.8006_native.exe	88
PID 1852 wrote to memory of 528	1852	BlueStacksMicroInstaller_4.90.0.8006_native.exe	88
PID 528 wrote to memory of 1348	528	BlueStacksInstaller.exe	90
PID 528 wrote to memory of 1348	528	BlueStacksInstaller.exe	90

C:\Users\Admin\AppData\Local\Temp\BlueStacksMicroInstaller_4.90.0.8006_native.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksMicroInstaller_4.90.0.8006_native.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe" "install" "BlueStacksMicroInstaller_4.90.0.8006_native.exe" "null" "admin" "fb951a75-3a3f-4e18-931c-165b4228cafc" "1f5e82bf-56e9-4cd2-beb1-ce7fbe270591"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BlueStacks\BlueStacksMicroInstaller_4.90.0.8006.log

Filesize
506B

MD5
e563d9cbf2c68052a65319fb821628f1

SHA1
2e1a2c5aee2fb64204d63a43a9923a3ff41b1d1e

SHA256
3900aa972d75f11a5e5b9388e06fdb8e422e3783eb12359f6ddeb9a85f7e2dbd

SHA512
38932ec663e70408762ba01f07e627c2a4a0992c84b7b852c5a5e2b69ce8e4a59fe9f63e88dd0fe1f5e6621c99e8aaf6f2d7dce0e8ffc918e3ffaa0aceeee8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe

Filesize
464KB

MD5
5f69885ca0afd159897f10f5f416c94e

SHA1
cb87592b0964da993311fdaf9ce2095ef5aa9a06

SHA256
c8fe879e71e34754a93d98d6d2ad9aab188d608ee0bb37c0783aef3aa94d9e3e

SHA512
80ccfcf96c99355e94042fba8b0e7a2e9646d2d13b057cf31fdb3ab7670e9ac936112f18f858e40e613f4688a71f7cc09e91f9815654ece01f9d8f0316891b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe

Filesize
464KB

MD5
5f69885ca0afd159897f10f5f416c94e

SHA1
cb87592b0964da993311fdaf9ce2095ef5aa9a06

SHA256
c8fe879e71e34754a93d98d6d2ad9aab188d608ee0bb37c0783aef3aa94d9e3e

SHA512
80ccfcf96c99355e94042fba8b0e7a2e9646d2d13b057cf31fdb3ab7670e9ac936112f18f858e40e613f4688a71f7cc09e91f9815654ece01f9d8f0316891b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe

Filesize
464KB

MD5
5f69885ca0afd159897f10f5f416c94e

SHA1
cb87592b0964da993311fdaf9ce2095ef5aa9a06

SHA256
c8fe879e71e34754a93d98d6d2ad9aab188d608ee0bb37c0783aef3aa94d9e3e

SHA512
80ccfcf96c99355e94042fba8b0e7a2e9646d2d13b057cf31fdb3ab7670e9ac936112f18f858e40e613f4688a71f7cc09e91f9815654ece01f9d8f0316891b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe

Filesize
464KB

MD5
5f69885ca0afd159897f10f5f416c94e

SHA1
cb87592b0964da993311fdaf9ce2095ef5aa9a06

SHA256
c8fe879e71e34754a93d98d6d2ad9aab188d608ee0bb37c0783aef3aa94d9e3e

SHA512
80ccfcf96c99355e94042fba8b0e7a2e9646d2d13b057cf31fdb3ab7670e9ac936112f18f858e40e613f4688a71f7cc09e91f9815654ece01f9d8f0316891b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378F3A6\Locales\i18n.en-US.txt

Filesize
71KB

MD5
b171ff7d2f515bdaf5ba48d2f8a1048d

SHA1
8a28aab240191b4ee5a50742b9d458888e639f39

SHA256
999906bddb8d608ee7c6581b2117669a00a6094227fb7425741ce7e7a5478c55

SHA512
b765ab68d0e0f8c828edc8de40ee182bca2c6572efadd80ec8f8b7aabe594e02f45c8a0d7862bbaee8442bce8400bbb9e0833bd79be0d576975e4a1e5cfa8068

Download Submit
C:\Users\Public\BlueStacks\MachineID

Filesize
36B

MD5
93e8a5f6318f2533b55522060510b921

SHA1
058985907db271f5d4c0cc923ec6726f33aea5cd

SHA256
370e4992341b93a60c762ea78f5ca1e626149b0bd2045934599f8ca098dae7a1

SHA512
8e9f4b8ac8e9dff5ffe3a431b2abd6ffd669439d7b4752f6f0035068501fd4bb544e6e2775f418233320df3cc0d751f6b5495969a162e8d33bb2bf340bb22bfb

Download Submit
C:\Users\Public\BlueStacks\VersionMachineId_4.90.0.8006

Filesize
36B

MD5
066278b595dbabdf2be6e1aecc4459e9

SHA1
5a0d23c5828d70e53ae5e41e328c57718cf6d609

SHA256
50338fc1bc7b9dd90ea4ae6777fc0e629625014c7c529c6b163dbc7dee8af109

SHA512
100c81223d94372d91f38fc00f53c6d15f669a7859c6a7f889c075daf29b35543f0fc803b39eb1c6447600d899b9934221f05baf3d7f717a4986a98d5e73902e

Download Submit
memory/528-189-0x000000001D0E0000-0x000000001D0F0000-memory.dmp

Filesize
64KB

Download
memory/528-184-0x0000000000B90000-0x0000000000C08000-memory.dmp

Filesize
480KB

Download
memory/528-203-0x000000001D0E0000-0x000000001D0F0000-memory.dmp

Filesize
64KB

Download
memory/1348-196-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-198-0x000000001F910000-0x000000001F948000-memory.dmp

Filesize
224KB

Download
memory/1348-199-0x000000001F8C0000-0x000000001F8CE000-memory.dmp

Filesize
56KB

Download
memory/1348-197-0x000000001F860000-0x000000001F868000-memory.dmp

Filesize
32KB

Download
memory/1348-201-0x0000000021650000-0x00000000216B8000-memory.dmp

Filesize
416KB

Download
memory/1348-202-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-195-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-204-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-205-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-206-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1348-207-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download