Overview

overview

10

Static

static

10

Bluestacks...er.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    196s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-06-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BluestacksInstaller.exe

  • Size

    80KB

  • MD5

    7a8057b88626b927138a6ac40016ff6d

  • SHA1

    beda666793500c73af8e4a73bf31d4831bda1a89

  • SHA256

    234d2f0fab4f2399ae1c4387e9dc58a19a3ea863d82c67ab1d90378b29e7748e

  • SHA512

    facc80950e636c0ef6b5bf703e9d19316d616735a7b6100c5a86897f0ee1d67668623eed5fed12a1086b85ceaadf9f8cfaddb0d2d0702b385e7a0ca5a0c5ce0b

  • SSDEEP

    768:YifC8qTvhE50tEIDPiKuukR7L1ptTfFWPt9e26cOMhFaB2hBC:YiTqTvhOYEIbiKuumnBFe9e26cOMX9A

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

19.ip.gl.ply.gg:14513

Mutex

333EKK7TuWsNmMLK

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BluestacksInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3404
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1c5126a88f18a2255ddc46796ff622be

    SHA1

    d25c224aa05c5bd78709ac4b811ac18e0178017a

    SHA256

    5dcaaa9487d0c20115acbfe8a06e055ed881f2913474b458069b910eb96cc612

    SHA512

    d41fce8057bd644b7352399339bb2c3142dfc111106dafb4e440480390b95e0cd0e1186d6ec2ae22848573981a364aa63918d5f79d2e41e6033ad717eee5c7a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    99465bc823dffa7b6cf4ab12493f0ef9

    SHA1

    580d0b4331c7fa80ec152497998426154f0ed746

    SHA256

    08d0b06cd602be558835408efad6e4ee341d8eba6f07a52ffa90966826b55f26

    SHA512

    8e613e17aa99eb97ddd1903a7efc26c1b2a28a87c0e57fc14caef6f926b3f03e85d41dda744daedb7e0e14d038a14b9662a73bf3c961333f923ad6888ace559c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    48acb6f0e652f08569766a6e0c46951d

    SHA1

    bfe0941dc0907d3f55c239ec92da088bd9e94e5f

    SHA256

    18883af382daefebd12c64012f173fd7daa6d7d1a1803b641034dfe27798a095

    SHA512

    e5ed2d1f6b0330bed494c7697ecb6e69e55d0ac22ee58c2c6408b261e3c547c72bdd08b10189def2d4f7376089572ffa4f9183082c70c3426d791596fbdef02e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ck1g2x2.4pt.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/3772-13-0x000001A89B2F0000-0x000001A89B312000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3772-16-0x000001A89B4A0000-0x000001A89B516000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4944-0-0x00007FFEEB413000-0x00007FFEEB414000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4944-1-0x0000000000010000-0x000000000002A000-memory.dmp

    Filesize

    104KB

    Download