| File name: | UninstallBlueStacksServices.exe |
| Full analysis: | https://app.any.run/tasks/e398917d-8d1d-498c-a2bc-ad1483311e91 |
| Verdict: | Malicious activity |
| Analysis date: | August 06, 2024, 20:06:31 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | A5B90F557B45C1398FE648E4377BAE9B |
| SHA1: | 65E051D4FAECC72528C77064B6C7B23FB419F04F |
| SHA256: | A4BD67571BCBA77ED3F5A4EBB2E2FFBC3D2320D8BF8B4B1FAE2CA668AF2149B8 |
| SSDEEP: | 6144:GhprwSPArCIdEJZYl9z5iOriEcOnwZoIRMWmdmWtHH92SeSCC4YM64O8tHnIuNFE:LSIrCFZYFjriKnwNRo94HxYM64O85nqr |
MALICIOUS
Drops the executable file immediately after the start
- UninstallBlueStacksServices.exe (PID: 6400)
- Un_A.exe (PID: 6428)
SUSPICIOUS
Executable content was dropped or overwritten
- UninstallBlueStacksServices.exe (PID: 6400)
- Un_A.exe (PID: 6428)
Starts itself from another location
- UninstallBlueStacksServices.exe (PID: 6400)
Malware-specific behavior (creating "System.dll" in Temp)
- Un_A.exe (PID: 6428)
The process creates files with name similar to system file names
- Un_A.exe (PID: 6428)
Get information on the list of running processes
- Un_A.exe (PID: 6428)
- cmd.exe (PID: 6460)
- cmd.exe (PID: 6640)
Starts CMD.EXE for commands execution
- Un_A.exe (PID: 6428)
Reads the date of Windows installation
- Un_A.exe (PID: 6428)
Reads security settings of Internet Explorer
- Un_A.exe (PID: 6428)
Checks Windows Trust Settings
- Un_A.exe (PID: 6428)
INFO
Checks supported languages
- UninstallBlueStacksServices.exe (PID: 6400)
- Un_A.exe (PID: 6428)
Create files in a temporary directory
- UninstallBlueStacksServices.exe (PID: 6400)
- Un_A.exe (PID: 6428)
Process checks computer location settings
- Un_A.exe (PID: 6428)
Reads the computer name
- Un_A.exe (PID: 6428)
Checks proxy server information
- Un_A.exe (PID: 6428)
Reads the software policy settings
- Un_A.exe (PID: 6428)
Reads the machine GUID from the registry
- Un_A.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.0.9.173 |
| ProductVersionNumber: | 3.0.9.173 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | now.gg, Inc. |
| FileDescription: | - |
| FileVersion: | 3.0.9.173 |
| LegalCopyright: | Copyright © 2024 now.gg, Inc. |
| ProductName: | BlueStacks Services |
| ProductVersion: | 3.0.9 |
Total processes
128
Monitored processes
10
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6400 | "C:\Users\admin\Desktop\UninstallBlueStacksServices.exe" | C:\Users\admin\Desktop\UninstallBlueStacksServices.exe | explorer.exe | ||||||||||||
User: admin Company: now.gg, Inc. Integrity Level: MEDIUM Exit code: 0 Version: 3.0.9.173 Modules
| |||||||||||||||
| 6428 | "C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exe" _?=C:\Users\admin\Desktop\ | C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exe | UninstallBlueStacksServices.exe | ||||||||||||
User: admin Company: now.gg, Inc. Integrity Level: MEDIUM Exit code: 0 Version: 3.0.9.173 Modules
| |||||||||||||||
| 6460 | cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe" | C:\Windows\SysWOW64\cmd.exe | — | Un_A.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6472 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6520 | tasklist /FI "USERNAME eq admin" /FI "IMAGENAME eq BlueStacksServices.exe" | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6540 | find "BlueStacksServices.exe" | C:\Windows\SysWOW64\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6640 | cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe" | C:\Windows\SysWOW64\cmd.exe | — | Un_A.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6648 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6696 | tasklist /FI "USERNAME eq admin" /FI "IMAGENAME eq BlueStacksServices.exe" | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6704 | find "BlueStacksServices.exe" | C:\Windows\SysWOW64\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 494
Read events
7 480
Write events
13
Delete events
1
Modification events
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 93 | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\BlueStacksServicesBackup |
| Operation: | write | Name: | Guid |
Value: | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | electron.app.BlueStacks Services |
Value: | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6428) Un_A.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
6
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6400 | UninstallBlueStacksServices.exe | C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Un_A.exe | executable | |
MD5:A5B90F557B45C1398FE648E4377BAE9B | SHA256:A4BD67571BCBA77ED3F5A4EBB2E2FFBC3D2320D8BF8B4B1FAE2CA668AF2149B8 | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\bcb51d62a1f81b90.automaticDestinations-ms | binary | |
MD5:6D7F26336E75CE2D1F825A6AA860F103 | SHA256:AAF43A5E16A45BD711EDE8522B6C26FE55D8B184332D818DD25F2FB04AF921F5 | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Local\Temp\nsx5B8A.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Local\Temp\nsx5B8A.tmp\INetC.dll | executable | |
MD5:38CAA11A462B16538E0A3DAEB2FC0EAF | SHA256:ED04A4823F221E9197B8F3C3DA1D6859FF5B176185BDE2F1C923A442516C810A | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\e8900c7166a64cf3.automaticDestinations-ms | binary | |
MD5:D9D1AD40334C30B5BC7A55C94E114B20 | SHA256:1879ABF561499F1DA7431FF7BD5D245C6605B51A75EDCE472A590AF1356A77DB | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Local\Temp\nsx5B8A.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Local\Temp\nsx5B8A.tmp\nsExec.dll | executable | |
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2 | SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962 | |||
| 6428 | Un_A.exe | C:\Users\admin\AppData\Local\Temp\nsx5B8A.tmp\WinShell.dll | executable | |
MD5:1CC7C37B7E0C8CD8BF04B6CC283E1E56 | SHA256:9BE85B986EA66A6997DDE658ABE82B3147ED2A1A3DCB784BB5176F41D22815A6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
14
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 34.96.124.47:443 | https://wallet.now.gg/api/v1/client-uninstalled | unknown | binary | 27 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5796 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1060 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6428 | Un_A.exe | 34.96.124.47:443 | wallet.now.gg | GOOGLE | US | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5796 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4324 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
wallet.now.gg |
| unknown |