86f230bb45d82b823ebd68cb8e192fa95abe4381002adbcfb0b3f6d9b47be4e0

Analysis

max time kernel
593s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Twitch Downloader/System.Numerics.Vectors.dll
Size

113KB
MD5

aaa2cbf14e06e9d3586d8a4ed455db33
SHA1

3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256

1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512

0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8
SSDEEP

1536:nPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/hV+sUwS:nWw0SUUKBM8aOUiiGw7qa9tK/bJS

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F322ADA7-9B93-4BC7-BAC4-384EC9443AE8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5901857A-B923-4AD0-B896-3EAEF8803AEE}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7B10613B-CEC9-4C60-9B9E-6F21C8B9B4E4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{850F60D7-4E21-4EAB-8D8B-930655DB69F4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3DCA3C5D-E204-407D-91F6-85E3C7F09659}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4D05F393-7FA6-4F57-B658-09532B05E523}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F95DEB48-B07D-4F91-810C-FBB46566D905}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61FA3D9B-E1D0-4559-9E12-5914A0DE273B}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Twitch Downloader\System.Numerics.Vectors.dll",#1
1⤵
PID:3360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu9316.tmp
Filesize
36KB

MD5
761388ca8095173f6963b1d23ad8a68b

SHA1
41e2693d0efc36cb0b97ea215d554932c46464ab

SHA256
369a2323cb569b44970884d5af3d70e38c9cfb59a54d929fabb51ba46593aa06

SHA512
2db4576927b4325dc51ce1755d55b00f7153a10424ca79fb7f32f8c92a5dec899c3961b44a15a129f1e5234b53a89c8946192703b88b10e70e86670e5831ebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsu9712.tmp
Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
c5171d607403c3d97f8076708cc93fd2

SHA1
6ff4b78a607ee30a705f47d95edaa6d08b3bfb2d

SHA256
911298c28a0c56eed12d4b0dcc9d2b21030775321626bf6f2b9998a62d1f1374

SHA512
4fd01c36f92e9a72671866d23e7a70ba66de61dd5f3acdf59203308e20de8bbfcecf4797c5b89b7515bfa7038b73f40ea67156acc401fb7514a5c4e9e2d64a00

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
19f806e6a5be82ee8f121bd19bba8709

SHA1
512cf507d5be4b201365964ae8fccb56afb30e93

SHA256
8d4d7a166716fee2fc10b2470bad577e81e3653b3b98e0fa48a85a8b3c9f8f55

SHA512
0df1ebefca97415fa635a59bcdd612b8dad4e1f75e61f2fd0ea2adc9d901f1ba58b76c4507f3ba433b919fa1f718ae61bb23d2f114a72304bb2221f89c9863b1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
b816c41a9b55eead6487ba6746dd6221

SHA1
ece0a43bf631145d52451681cafa0a87da8242e3

SHA256
904bb7339bfecea46abca9015a2f0e54796288a11f3835bfd67a0603ff17da70

SHA512
155ed6f62ff6d0baf02936c3bdd84d8f86321742ee46b44c042657581751c4dc5d6b4bac089472108714e1002b59913764b6963a2359577a28600a473969810b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
88c14bc0f29dafeeaafbd7cbbec16bca

SHA1
13616765fa267e1a5022cb533179a7d4fcfb0c35

SHA256
ac45c1c658cf08b86f794fd477a4a3ea57c785ccee777bc9fff33780cf399cbf

SHA512
1ec8cb471705263007d8f9b4e732173c3fc3cba492e24f5062c903fd3f5ee13bbdb70cefc608519c37cf29aac8be677cde7b1fa7708c46a49071b22d333f971d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
4e06c0181e43aa67393308141ecb1a23

SHA1
32210f6b545d1c2a2969580038deec4781f346e6

SHA256
ea05104ab1932fb2e496d6df45bc5afe16cb1aefa2ce0daecaaccd07b77cf14a

SHA512
167e8e3fe2f630cb11fd06c4b1f5f20a7e6f531a036e8df47de2c8ad43efab6fa58aae8a6d878e449197c7198dac097dc4094744a5c8f363ca4f310068c6e27f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
78a4a17a15ba50d829348ea5cb437ac3

SHA1
cc06c5cb7f37a50c20b7070f21a32209527f2375

SHA256
dfea39a513b3d25f7197291c92449270acbfd328a36a6d3eb59a270f591843e0

SHA512
ee7653aaf4610555a3cefa56e1097ed7c9b67bff614397ca305faceeebfb7e0dba96f20160c7a846dd907027b1efca58998be90fa29dcc7a0c4ef2d1128e059a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
7ee72895a2551c4a58887d916e44f618

SHA1
a9b15805d9cbc62d5da54aca7542f0504dafbf62

SHA256
55b288d45b4686bfcf7c0d33b83176c7dc7959485b80162e108d24829216f39b

SHA512
233dc4a4db5d67d99f014c510738eeb6574ceccf658fe7ceeaf2445139e418e084937e630436a1b1c516699eff225b05a908971f006e919690f55b2e54bd0110

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
a7ea5b7ddb9eea35e37ee83a28350b1a

SHA1
2fcb2d1a78a64929c0a3462c067d0401f4f6e7f8

SHA256
4f05a08ab13dfc532eb4587afd1a9314373f2296f28d35641757c87057bfc0a3

SHA512
2cbab4fffefcee2b0ab3cba6fa59c658bfa5180f66c64fa5b58efd55c73e59227ce472a319f7f98ce3cc6234a0d95ca96eaa4bea17b6f0738723ed186655f065

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
f8490c4a7a512c747c0b2e8670ae3f2a

SHA1
b7ad5399033eadaf65b0d6dbf9b40b7fb654ccd5

SHA256
f28de23344775ef978dc79fd2787261c5c998cb669de3038308c76ab8b77c508

SHA512
26cd4bbf5692eb4f5b6347e440b9d100f18916a469c9b34ed65ec6cd98cdaa7e98ee67309ad59e2c00eaa87bb5139c8113816f996f322b55eacd99ba08b2484b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize
29KB

MD5
20d1d9091ca801129cbb16725e88a145

SHA1
6175e4608de2fd4ae3de39966ced3823731e7fb9

SHA256
e98da3ae13f9f52cc1183e0b70c1e308cb2c83270610953745dfe74f341906bd

SHA512
7c033ca4ea766b595468d2494f7fa85bf2a4c472e877e31a98844a49e95ec7d75051ea57b7bdb0625dbb9631a488cae978def4307ff979e405a3a1405605e756

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat
Filesize
66KB

MD5
68df10ab529f4b140a25251dd83b744b

SHA1
891fb561372c2077b44d85b1c34b914b5ba79936

SHA256
6a212d2187bf93e6402725b795017d566d69e4f39950cdb404f561550141a4e2

SHA512
b0e65e24675012aded8d789577b1d7e8df9112ffde1b91b8ec47219e6920af032a4c6819b37935bcb6658fa4fbcd53078776d1d6876f5d033d2f361680385c64

Download Submit