General

  • Target

    BlueStacksInstaller_5.21.600.1019_native_f144868cd72d8fda38c8a95ec9934541_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe

  • Size

    913KB

  • Sample

    241110-n4jygawgpf

  • MD5

    86b016ee6a71a5219f56779885f691ef

  • SHA1

    1a40a93403e1004f7f8033c5afee8196db16700a

  • SHA256

    a56fd8aa5ffdaddaf58e4fbe8cbb2359fd11f2a93f34d9d0df610baf96972207

  • SHA512

    9f9860782ad93a3a43a9d4509635ac5a08317d3ee60ae314ebdaf4b61855c0a697ca0e5561b5452040763bec719394baaaa1ac4c23c00842be4806ab4dde42a7

  • SSDEEP

    12288:tivtCXQd0gjKX7zuqGKY5Ha3z1cNoaMq+zfxUEwOwGPaGb4hmsLBeJs0RXfGPtRF:tivtCXWeGKY81Oq8wX5RXfGPTSKdvaU

Malware Config

Targets

    • Target

      BlueStacksInstaller_5.21.600.1019_native_f144868cd72d8fda38c8a95ec9934541_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe

    • Size

      913KB

    • MD5

      86b016ee6a71a5219f56779885f691ef

    • SHA1

      1a40a93403e1004f7f8033c5afee8196db16700a

    • SHA256

      a56fd8aa5ffdaddaf58e4fbe8cbb2359fd11f2a93f34d9d0df610baf96972207

    • SHA512

      9f9860782ad93a3a43a9d4509635ac5a08317d3ee60ae314ebdaf4b61855c0a697ca0e5561b5452040763bec719394baaaa1ac4c23c00842be4806ab4dde42a7

    • SSDEEP

      12288:tivtCXQd0gjKX7zuqGKY5Ha3z1cNoaMq+zfxUEwOwGPaGb4hmsLBeJs0RXfGPtRF:tivtCXWeGKY81Oq8wX5RXfGPTSKdvaU

    • Creates new service(s)

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

    • Stops running service(s)

    • A potential corporate email address has been identified in the URL: [email protected]/20241110/auto/storage/goog4_request

    • Modifies file permissions

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies Windows Firewall

    • Deletes itself

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks