Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
15/06/2024, 22:01
Errors
General
-
Target
BluestacksInstaller.exe
-
Size
80KB
-
MD5
7a8057b88626b927138a6ac40016ff6d
-
SHA1
beda666793500c73af8e4a73bf31d4831bda1a89
-
SHA256
234d2f0fab4f2399ae1c4387e9dc58a19a3ea863d82c67ab1d90378b29e7748e
-
SHA512
facc80950e636c0ef6b5bf703e9d19316d616735a7b6100c5a86897f0ee1d67668623eed5fed12a1086b85ceaadf9f8cfaddb0d2d0702b385e7a0ca5a0c5ce0b
-
SSDEEP
768:YifC8qTvhE50tEIDPiKuukR7L1ptTfFWPt9e26cOMhFaB2hBC:YiTqTvhOYEIbiKuumnBFe9e26cOMX9A
Malware Config
Extracted
xworm
5.0
19.ip.gl.ply.gg:14513
333EKK7TuWsNmMLK
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe"C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe"1⤵
- UAC bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BluestacksInstaller.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BluestacksInstaller.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\iaecxy.exe"C:\Users\Admin\AppData\Local\Temp\iaecxy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mbr.exembr.exe4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exeerroricons.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exeINVERS.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.execrazywarningicons.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.execrazyinvers.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exeerroriconscursor.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exetoonel.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"4⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"4⤵
-
-
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a24855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
512KB
MD58015461c323bf9c0f9ddeb665ab99d09
SHA1c76fb3bd5486db25b63c02bf7469f96f5d207601
SHA256d88157e5d52a20638560d89189655559ef44788522ed9301378014b1e97861c4
SHA512973b56f4dc3bacb902df6bff68dbdd1c7b2b7d9dd1447091f7bb54acb85fec3ad280612147c8cf495f2cb57e55a4cfc94fa446f85295739cab2861d6a28ce071
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD50873757e33b6db5e1f880560307d39ed
SHA15eeb90dd7214ce87c3a7da370d3883b8de1a523f
SHA256ffd4814d02b70970a6be70900bedcc0f1543c3b6707dddab6c808b32839db834
SHA512e21c1a7347e3c78590a9e8c76698af7ac1a70d929c5d1e190b480cdf5e8063cd575d3c9b8a6101cfc4424619100ab421bee5f3723385e79b63381c04281b0b8c
-
Filesize
944B
MD59030854a24cf37b7b4e3650aac67d427
SHA127f3e35705bbe6388da04bf97e09da1875a6bc71
SHA256e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0
SHA512f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd
-
Filesize
2.3MB
MD55134f289dbf4abae370e3f36b637b73e
SHA1c78d3f2d00dc47da0112a74df665c7a84a8e32c3
SHA256e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2
SHA5120bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5
-
Filesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
Filesize
1.2MB
MD5e21bb4749a8b1b6fc26a7bcf57781836
SHA189cb0bd80d691ca650ad01551be3acefa2256ebd
SHA2560ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b
-
Filesize
6.6MB
MD5fad2e8c2a096f4593a03a771bbe99458
SHA188af47f279b9ea008901a6a242466f40f44e8a5c
SHA256a40dd9aedae52766593bce06a9a68d47fcf8d430f254ce5e50b0c55587d46213
SHA5127b607d2927bfb5d2ae3da7ad40fc842f6c1cd12cbc8814a043950d65f50d8084aaa8a544fe51312e68bde9434b138c5c8df50568650658ed0600f447a4a32441
-
Filesize
316KB
MD57f31508d95be3fe50e4e9aa646e86a12
SHA1c61b439d6e17d630728f48c09b36af2647940748
SHA256994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA5122e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda
-
Filesize
316KB
MD5135eeb256e92d261066cfd3ffd31fb3e
SHA15c275ffd2ab1359249bae8c91bebcab19a185e91
SHA256f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d
SHA512a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b
-
Filesize
47KB
MD58562ed46d745dceb3cc268693ca25c83
SHA1309067f0c9703084654495a47e67f7a40824700d
SHA256ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c
SHA51252f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b
-
Filesize
37B
MD535fbf9bf29760b9e120b37900b3c1343
SHA18a231c37ee13e72f27a38411668fde6fef3ff5bc
SHA256e1cdab59df6508013e8b91c71043c8ecfe81b94a037706147ed19adf992539e6
SHA512d1c12b6690c6b90dda5ad3e226e30adc848b3c324f929dec373ab6c7606fbcab716c49c4446efadf14036583924f8f094491bfe8bef380fd877c00cf9feaacc6
-
Filesize
37B
MD563954d8930e517637c254f9da0749e7a
SHA127f6a13c0e9530166d62b4586c3d2bda5cb5064c
SHA256bffa14678b8c39c2fbfa54b76fbac5f750aebc8dc2954da10a55b7f1f90f351c
SHA512dd5df6b8a64523fedb5aaced7d864013d12e6930015d8fd2267b11cffe76741c3a7907814a832ff7589476a51d16e8ab0fc566f4ac0784f6a599070080c7008d
-
Filesize
216B
MD5c36c15e1f99e1c0d093b9b089b1073c5
SHA147a237639f83d8de0c2034831ff3e12a3bad7408
SHA2563d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736
SHA5124283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f
-
Filesize
220B
MD599ee6716bf6dd074e52a923e74f9fa70
SHA142494346592ca59d2d895ec77d37d83ce2dbed1a
SHA256d51fd681ba6346842afe2f9cb7ae117cb667986af0c67e28664124173b183740
SHA5122179380ec9630dbce4f7637f4e6fe8164d61cb41c2d43be98d97a7116aa5d7a181a8bdb4ed3f3d147aaec9dd2152dd9a23e94e3a67c2bd7f12e4b205826b6732
-
Filesize
317KB
MD5a84257e64cfbd9f6c0a574af416bc0d1
SHA1245649583806d63abb1b2dc1947feccc8ce4a4bc
SHA256fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7
SHA5126fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.8MB
MD51c33f964fbf5b3642d02e4b20ba6f2ac
SHA1dcec14364a4548ce394906487a37f98bb1d12198
SHA25610a45dc010df96cbd65bfd8a59e906ca5f98dd6f7541cf02bdfc17df8384bb8f
SHA512ea3268a85ff2dfe7c94c6eb670f4aa3a13ec3019cf47bbcfa7e31eaa48dea0c8ee7dd0ebd020785942063e8acee7e2df62cd0c1eadf46a0208ebea29e146462b
-
Filesize
336KB
-
Filesize
1.5MB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
568KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
1.3MB
-
Filesize
336KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
336KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB