ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
Size

1.1MB
MD5

98341684249edae864b1ed61c1b0fd7c
SHA1

788c46a8814f5f39e56aa408711179bab5be398f
SHA256

ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7
SHA512

1c7695754dfa5ebe0a06023ba4795571e68cd02ffa30c2648633aec468dc4aacef59b281e10fe86401d0eeca4d36f64a3e32cdb697afa6e780c6ddb8eb588f58
SSDEEP

24576:HivtCX8jrlikZ3NzhXV0Oy5zCsP2/KzFazfA4hUlIiKPQk/sy:CtCX8nl9XxV07zCukz4BwUy

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe

Executes dropped EXE 3 IoCs

pid	Process
3668	BlueStacksInstaller.exe
2268	HD-CheckCpu.exe
3596	HD-CheckCpu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 3668	4340	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe	87
PID 4340 wrote to memory of 3668	4340	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe	87
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95

C:\Users\Admin\AppData\Local\Temp\ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
"C:\Users\Admin\AppData\Local\Temp\ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\backicon.png

Filesize
778B

MD5
bb32b6c0cb2fd3b9329f0813e1b4239d

SHA1
241b75e5e21aa3e7a6aae5066de65d65db49651f

SHA256
77533707194f691af85e6c990d852b949c09018378c8f9d87763b54b1c118f67

SHA512
e3aa89c3ba19f4d0a26fc6f3fd725c5201f3609b7e3f91bd8fa1fe95aa8cfdac5d684893ccac3e81b290ad241c048264d12bb1c6aa4b9646e604879b54bb9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\checked_gray.png

Filesize
659B

MD5
f5273eda49f641257ccb5fc5235cee80

SHA1
ac2f52d7a0b34facc5cebf4745fb72e15c0e5c8d

SHA256
fc88b72393b58799ad747a988b76c1b9d8ce3dbaedfd0463e74d6a33be0878b6

SHA512
95457d926dbb7dbcd7c5b30fe6ec45634ab7c0f3dbd5820c8956d21d33a0f5feddc36e0d52d40abbb8b0ba07c005e4594dd56dab1cb278ee3104ec14d8ca921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\close_red.png

Filesize
1KB

MD5
3759fdf92c29556e5740a6282507e1f9

SHA1
23960cb0edd610083edd8f817c03add5e883453d

SHA256
8cd75e91be69cf7cc6e6979c14b394a11fe683be7b62d5163da1073bb568b7d9

SHA512
d0773ead77552514a2cd7fd7e55abe730579b4fab24981eb976ac43a821fc5a06ae02626e48dff83a58acb37db23d5527444faf5d4b7cb2fc78df33b065b80d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\custom.png

Filesize
580B

MD5
07c7f00c7498d32e8045c1a0eda0727d

SHA1
bebf52df35cf5a95dd6ff5da778b83c5eafeb052

SHA256
8eaab641d186f93f50d2d2bbae6ac5b3c937ca30665bf916321a35c83253eca3

SHA512
142752b1ab40a23f654293a15e075321020322fc0f19efdab93e69716cc0ff5dc2148a83f7db149b7dcd8c30b7f542c0f89ac52bd50470e756b07b00ec78f5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_bg.jpg

Filesize
353KB

MD5
49875ca1499a58b4ca9abda4d34adea5

SHA1
091155113dd5cf955211fd7a932ecba32f8bf136

SHA256
15bde105d61a562560d354614e0254dc4259000d8f610b32be8a965bf26829ca

SHA512
08cf0ce98b4c31f5879789f9458f14526fa3483096efd5feeca0f9b477456d80eb542a1e2f5823593e6d7d4d9d106bae0a7a7f096bacb638ee6fcfc67e13623a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_logo.png

Filesize
19KB

MD5
7ad11e07d8f30571debb2a69f77833c2

SHA1
6351d8968889c6a636abafa2a989b788fd477822

SHA256
fe59d96de7342bcbfea62564e92d8e27530fc52c16399399be5f1d6c45340246

SHA512
7bc37d326a0d0fcf80231b2e69f3491f7ea8a714fa70b91d5606f9a03054b2c9113b4caf5bb5c980f53c5c73a769a11d1634660cd7c1e1e213124d6b55b2fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_minimize.png

Filesize
157B

MD5
857bcef475b0d4c1d669bf47a143e85e

SHA1
072746be2f79c9571ec9b7e3b702a8cdef5a2b66

SHA256
8e6e37b79756bfebb943d51d3571926fe4992748c4a673bbb6d78b22e87bc7f6

SHA512
b7e236edefe3f4aceefd912f2b6cfcecee034125ff082d3bac5fdf6db57c89dc2dfb4a96897529aed8834a423529680cc0ba1c94d497eb8d9c4f450ff70cf79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\setpath.png

Filesize
355B

MD5
f4c65de79fb292fd6104eb1a160ca09b

SHA1
52173df03e93433d88b50ebcd7d3bdbc32bd4165

SHA256
9ea14db4e8d39be52c9b55a39119d5f95dc331a0559d38de44fd8e72e8677718

SHA512
db4bca2ed5582efe9ca27ec67bff59ed2a66c471dc4e4247818e3b79838b57a00cd69d92b709c3a7e0628d7c9e9508335aff877279d30741de18226f0626dced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\unchecked_gray.png

Filesize
321B

MD5
8b3031b63549708b7ef422da8dfc42a5

SHA1
46407a76af6ac9887a15bd682533922c4b2d09da

SHA256
8355a9b447991ed53c3e1c768f397b622f9535faadb26913e4f2298cc3621c5c

SHA512
97b2fe161483b90abafc0bff3e4839f357aa3c0765b1d5d54e5210fcd9d543480eb4ff3671f2706def344ccc83548fe8d064b9ba1bb15abae9e718b87b91298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe

Filesize
599KB

MD5
bb2236d5046a01067d4be45e5a188900

SHA1
da71f9f9b3d6b5eb3bc63a43bb21d6ca6aa94846

SHA256
b1c4692a370d1871a77d4308d2c65f5507168caf0508e14d9b12bea218f4ba84

SHA512
7cf34504b82248275049e272e1afaa5f47d3981f656d7cb9e4791f63823b2dceeadee9f51ada834e7f41467195b93fbc05747067e9786b921787c8fb5c621b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Locales\i18n.en-US.txt

Filesize
18KB

MD5
2e67781c074a702af42f2c2259a9e94d

SHA1
c40ec186835abd9e8cd1976b0005e57e17c672f2

SHA256
858f09be7e462198c0e77b2b84de544158789f53eff200be78eab70a6acadd1a

SHA512
4adbf7cb6f1621ed1d3904beaad55eb5229475c9007c7ba41720d9dcc9b3f63c849b9a5cd9aaf86c5a063693b80c1b39fdf41eb2b026f35cd15a5d92d5ce843a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\ThemeFile

Filesize
79KB

MD5
51e4b1a661b3e96697b54899cb2317de

SHA1
1cacf6e055023cd2cd7100e2537a6d2dee7d9a84

SHA256
87bbd881c9603d6032564b787a85a1c040fc1a2c216f25a1b0b62e26fedcdf69

SHA512
55dbe855478a32ba78f15b0611847f609279fe262a7940c024a09378d58e1b84397038847aad03cd113ab5d1e4026fb323fb07d3024e0470f40eefa18949e7d3

Download Submit
memory/3668-119-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-133-0x000000001DAF0000-0x000000001DB28000-memory.dmp

Filesize
224KB

Download
memory/3668-129-0x000000001DCA0000-0x000000001E1C8000-memory.dmp

Filesize
5.2MB

Download
memory/3668-128-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-127-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-134-0x000000001DAC0000-0x000000001DACE000-memory.dmp

Filesize
56KB

Download
memory/3668-118-0x000000001C9D0000-0x000000001CA38000-memory.dmp

Filesize
416KB

Download
memory/3668-116-0x00000000003E0000-0x000000000047A000-memory.dmp

Filesize
616KB

Download
memory/3668-144-0x00000000218A0000-0x00000000218A8000-memory.dmp

Filesize
32KB

Download
memory/3668-115-0x00007FFBF6D53000-0x00007FFBF6D55000-memory.dmp

Filesize
8KB

Download
memory/3668-146-0x00007FFBF6D53000-0x00007FFBF6D55000-memory.dmp

Filesize
8KB

Download
memory/3668-147-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-148-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download