Overview

overview

10

Static

static

10

Bluestacks...er.exe

windows7-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2024, 22:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    BluestacksInstaller.exe

  • Size

    80KB

  • MD5

    7a8057b88626b927138a6ac40016ff6d

  • SHA1

    beda666793500c73af8e4a73bf31d4831bda1a89

  • SHA256

    234d2f0fab4f2399ae1c4387e9dc58a19a3ea863d82c67ab1d90378b29e7748e

  • SHA512

    facc80950e636c0ef6b5bf703e9d19316d616735a7b6100c5a86897f0ee1d67668623eed5fed12a1086b85ceaadf9f8cfaddb0d2d0702b385e7a0ca5a0c5ce0b

  • SSDEEP

    768:YifC8qTvhE50tEIDPiKuukR7L1ptTfFWPt9e26cOMhFaB2hBC:YiTqTvhOYEIbiKuumnBFe9e26cOMX9A

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

19.ip.gl.ply.gg:14513

Mutex

333EKK7TuWsNmMLK

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2980

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          e399f27423f4b88339031ba75a1e1dfd

          SHA1

          d6636556e0950392d033613713cc50dfce7f40fb

          SHA256

          f6aac855661d4e0b39fe7886e3b392faaa0dfae4b6235e47df2bba23104d2e5a

          SHA512

          41d7d1005fca3c5a5883d2cf6329cb48dd12869971478443543f20a27b1b7f69f02dc0469ba98dd0e9a15bfb0531b2cc47c94c4c71332f732dfa60a912c61b04

          Download Submit

        • memory/2480-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2480-36-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2480-33-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2480-32-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2480-1-0x00000000011F0000-0x000000000120A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2508-9-0x0000000002790000-0x0000000002798000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2508-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2704-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2704-15-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2980-2-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2980-34-0x0000000002050000-0x0000000002060000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2980-35-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2980-3-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download