3e708816fbbc73b2b3de8b8fdad8d0e5328e55d8f91f6acf6673d0c517a5a732

Resubmissions

23/02/2024, 21:48

240223-1nvq9aae3z 5

23/02/2024, 21:44

240223-1lzx7ahe79 5

Analysis

max time kernel
1731s
max time network
1165s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe
Size

910KB
MD5

137ba5b3972ec34519a73c9ce33fa437
SHA1

dd9dc2d0fb7e9554d24bb023fbf198dcaae1591e
SHA256

3e708816fbbc73b2b3de8b8fdad8d0e5328e55d8f91f6acf6673d0c517a5a732
SHA512

1614b37628cdb2112617bf5f65adfe63675285303db00f9ed36ea5f48fcef687e7462c452d01219b684ed21623353000796128e43e76dcdba69322f0d743b465
SSDEEP

24576:ZivtCXWeGKk9Txt9OkcfOT5+3S8L24ier33laL:EtCXWPtvz5cfid81iI1aL

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe

Executes dropped EXE 2 IoCs

pid	Process
4076	BlueStacksInstaller.exe
4188	HD-CheckCpu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4076	BlueStacksInstaller.exe
4076	BlueStacksInstaller.exe
4076	BlueStacksInstaller.exe
4076	BlueStacksInstaller.exe
4076	BlueStacksInstaller.exe
4076	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4076	1328	BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe	88
PID 1328 wrote to memory of 4076	1328	BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe	88
PID 4076 wrote to memory of 4188	4076	BlueStacksInstaller.exe	90
PID 4076 wrote to memory of 4188	4076	BlueStacksInstaller.exe	90
PID 4076 wrote to memory of 4188	4076	BlueStacksInstaller.exe	90

C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.10.7.1004_native_ce7831f0822d7ceda4024b72f1ac8b5b_MDs1LDM7MTUsMTsxNSw0OzE1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\7zS0350B087\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0350B087\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\7zS0350B087\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0350B087\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Assets\error_icon_72.png

Filesize
1KB

MD5
4aaf83d2b3fd56ad806708e60474df39

SHA1
144777a265879b69fadea3eb3ac6939458918578

SHA256
84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f

SHA512
3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Assets\link.png

Filesize
306B

MD5
ae2c73ee43d722c327c7fb6fdbee905c

SHA1
96f238bf53ac80f5b7a9ad6ef2531e8e3f274628

SHA256
28c0abc6bfe7a155815104883a37a53dd783d142300471064c95eddf3cae0eaf

SHA512
5a1e341f727cf1cb4832cced8e96c5a74971451629603c48bfb91ceb4561d0122ab9ae701f8b34681d5f13115a384467d430ccb8282494b40f4577ebc3ad825b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\BlueStacksInstaller.exe

Filesize
622KB

MD5
d806c620a28904ec2af48c213a562dc6

SHA1
878594aa27189f4b6703c0e8e3bffa3dc810faa7

SHA256
d2f0a40bf13d35a39b311cafa40653dc3c3da335bf5179e74babe79482e929c5

SHA512
5d980c3edbad0ad2ac010e65dcc14e81a8154c59d56cec4e98bc04e9f14f65dc4cf6ddfcd29f82ab020d6ea311dc0df1519a61092dcb9aee1df8f3e3c8c0d288

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\Locales\i18n.en-US.txt

Filesize
19KB

MD5
206562eed57e938afe21fc6942fa8e59

SHA1
779e90fec866c0fd2f47da020651db71c89ec3dd

SHA256
27d611a71edf36307a7ed0651f6c5910292ac7e2b68074a7e33d306b3d93ec45

SHA512
275c3192a7aee28fad31beb521cf5e7c66010e7562ce244ba9fc4de352f35b4ab63180ed12a56ea0b1458c185e076e2d07ba6d8797467177d3c5b2ac14371b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0350B087\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
memory/4076-128-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-127-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-132-0x000000001D830000-0x000000001DD58000-memory.dmp

Filesize
5.2MB

Download
memory/4076-135-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-137-0x000000001CE70000-0x000000001CEA8000-memory.dmp

Filesize
224KB

Download
memory/4076-138-0x000000001CE40000-0x000000001CE4E000-memory.dmp

Filesize
56KB

Download
memory/4076-120-0x00007FFDF4120000-0x00007FFDF4BE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-121-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-119-0x00000000007E0000-0x000000000087E000-memory.dmp

Filesize
632KB

Download
memory/4076-123-0x000000001B460000-0x000000001B4C8000-memory.dmp

Filesize
416KB

Download
memory/4076-143-0x00007FFDF4120000-0x00007FFDF4BE1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-144-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-145-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-146-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/4076-147-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download