9b3f987be111cd16e2d92fa3d2114bff029028803ee5f9604eb1ebc2e86d7e0e

Analysis

max time kernel
54s
max time network
65s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-12-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Twitch.Recover.Setup.exe
Size

42.2MB
MD5

09dc03237e26795428b52ec363f9af28
SHA1

82971df7d3ddfd7625a7d7e14fe8826a31724ef0
SHA256

9b3f987be111cd16e2d92fa3d2114bff029028803ee5f9604eb1ebc2e86d7e0e
SHA512

1335299ec5faf987541681b6b6b4a724484d2b0db3bd2d7ef8b40d1d146900aa04898bfdd5db491cfdcb203056d3a2a731848460e22e740eb8f3e21c2febbfff
SSDEEP

786432:qK9z6e33FZzYy/HuScynztMSk71hXTVI02Od+Dy/xkFS1OgFv2Y4w3:vk23FZzYupMB71hBIkdIbS1Tv2Y4w3

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4708	Twitch.Recover.Setup.tmp
1352	Twitch Recover.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Twitch Recover\is-NL248.tmp	Twitch.Recover.Setup.tmp
File created	C:\Program Files (x86)\Twitch Recover\is-CEL86.tmp	Twitch.Recover.Setup.tmp
File opened for modification	C:\Program Files (x86)\Twitch Recover\unins000.dat	Twitch.Recover.Setup.tmp
File opened for modification	C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe	Twitch.Recover.Setup.tmp
File created	C:\Program Files (x86)\Twitch Recover\unins000.dat	Twitch.Recover.Setup.tmp
File created	C:\Program Files (x86)\Twitch Recover\is-8EDEU.tmp	Twitch.Recover.Setup.tmp
File created	C:\Program Files (x86)\Twitch Recover\is-BB684.tmp	Twitch.Recover.Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4708	Twitch.Recover.Setup.tmp
4708	Twitch.Recover.Setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4708	Twitch.Recover.Setup.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4708	2716	Twitch.Recover.Setup.exe	66
PID 2716 wrote to memory of 4708	2716	Twitch.Recover.Setup.exe	66
PID 2716 wrote to memory of 4708	2716	Twitch.Recover.Setup.exe	66
PID 4708 wrote to memory of 1352	4708	Twitch.Recover.Setup.tmp	68
PID 4708 wrote to memory of 1352	4708	Twitch.Recover.Setup.tmp	68
PID 4708 wrote to memory of 1352	4708	Twitch.Recover.Setup.tmp	68
PID 1352 wrote to memory of 3096	1352	Twitch Recover.exe	71
PID 1352 wrote to memory of 3096	1352	Twitch Recover.exe	71

C:\Users\Admin\AppData\Local\Temp\Twitch.Recover.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Twitch.Recover.Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\is-QESLB.tmp\Twitch.Recover.Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QESLB.tmp\Twitch.Recover.Setup.tmp" /SL5="$90060,43433549,780800,C:\Users\Admin\AppData\Local\Temp\Twitch.Recover.Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe
    "C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe"
      4⤵
      PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe

Filesize
41.0MB

MD5
377150240c4dad8159447f31a5008dab

SHA1
7224723226400910f3e448562ff781b61ec9a6ff

SHA256
abf42b3c9d9f00c5a33b57be7e618a9ab760d2a6f8e53f7ae3b6120a4b80b5c2

SHA512
ab55fc42db3d64388fdc2fa1cadb99dc60f82e3bee4f55c05086b6cce9294a16c770cd2d1221504a7d429fe1137c7dee7579ac2c065367f946b2e301079b433a

Download Submit
C:\Program Files (x86)\Twitch Recover\Twitch Recover.exe

Filesize
41.0MB

MD5
377150240c4dad8159447f31a5008dab

SHA1
7224723226400910f3e448562ff781b61ec9a6ff

SHA256
abf42b3c9d9f00c5a33b57be7e618a9ab760d2a6f8e53f7ae3b6120a4b80b5c2

SHA512
ab55fc42db3d64388fdc2fa1cadb99dc60f82e3bee4f55c05086b6cce9294a16c770cd2d1221504a7d429fe1137c7dee7579ac2c065367f946b2e301079b433a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QESLB.tmp\Twitch.Recover.Setup.tmp

Filesize
2.9MB

MD5
4a3d95d9532d6dbf46dc3d4bdd807962

SHA1
a24bcdd166b46dedd3153ad99158f43be0443eb9

SHA256
ab82d4633a3ed92b1b1a5ed56f9865f9c820dfd1915b6006b02545b8e57d00a3

SHA512
62adfe4565d86ed038d42c22da6e63a2c64c9af55d39abf23c4baffbdb107c6f6cb7ee5d6d52e7d3ae4b7175c85877405bc95a42f908e494651aadd8936eb005

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QESLB.tmp\Twitch.Recover.Setup.tmp

Filesize
2.9MB

MD5
4a3d95d9532d6dbf46dc3d4bdd807962

SHA1
a24bcdd166b46dedd3153ad99158f43be0443eb9

SHA256
ab82d4633a3ed92b1b1a5ed56f9865f9c820dfd1915b6006b02545b8e57d00a3

SHA512
62adfe4565d86ed038d42c22da6e63a2c64c9af55d39abf23c4baffbdb107c6f6cb7ee5d6d52e7d3ae4b7175c85877405bc95a42f908e494651aadd8936eb005

Download Submit
memory/1352-226-0x0000000000000000-mapping.dmp

Download
memory/2716-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-149-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2716-152-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2716-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-213-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2716-250-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2716-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3096-268-0x0000000000000000-mapping.dmp

Download
memory/3096-279-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/3096-277-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/4708-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-156-0x0000000000000000-mapping.dmp

Download
memory/4708-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download