Overview
overview
10Static
static
10TwitchFoll...ks.exe
windows10-2004-x64
1TwitchFoll...pt.exe
windows10-2004-x64
1TwitchFoll...pt.exe
windows10-2004-x64
1TwitchFoll...er.exe
windows10-2004-x64
1TwitchFoll...ui.exe
windows10-2004-x64
7TwitchFoll...ce.exe
windows10-2004-x64
7TwitchFoll...er.exe
windows10-2004-x64
1TwitchFoll...er.exe
windows10-2004-x64
7Analysis
-
max time kernel
25s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2023, 11:24
Behavioral task
behavioral1
Sample
TwitchFollowBotbyKuroCracks/Twitch Follow Bot by KuroCracks.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/FastExecuteScript.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/RemoteExecuteScript.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Scheduler.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/SchedulerGui.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/UserInterface.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/Worker.exe
Resource
win10v2004-20230220-en
General
-
Target
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/SchedulerGui.exe
-
Size
461KB
-
MD5
ccdee9e578fb9eb21a5fcec5d43e8de0
-
SHA1
4a580c2e39fafaf44f12d5a64556be96f65dff39
-
SHA256
7d3995e87417dfeb1c644a20c46805220876adc0f6a4a6c1fa81cfe92ead70a2
-
SHA512
37c44c801a86a52d2a1dd8236bd13f2c213f97741e5496f6ac9649f16fb2e67440ea3af359970e332790adebd724030e98e9387f08b2f691eaae93c6787c6d5c
-
SSDEEP
6144:nLfZUwjyln1IjkyhopbIHa2jijA0D8CNrepZYTTAOT3TwEif7:LfZUwjan1whyELjOrepZYXVDif7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation SchedulerGui.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation SchedulerGui.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation SchedulerGui.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2275444769-3691835758-4097679484-1000\{1319EE7E-D422-4877-82F7-BBFDF31F9E8D} SchedulerGui.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4780 SchedulerGui.exe 4780 SchedulerGui.exe 4436 SchedulerGui.exe 4436 SchedulerGui.exe 4088 SchedulerGui.exe 4088 SchedulerGui.exe 2772 SchedulerGui.exe 2772 SchedulerGui.exe 1948 SchedulerGui.exe 1948 SchedulerGui.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 644 wrote to memory of 4780 644 SchedulerGui.exe 86 PID 644 wrote to memory of 4780 644 SchedulerGui.exe 86 PID 644 wrote to memory of 4780 644 SchedulerGui.exe 86 PID 644 wrote to memory of 4436 644 SchedulerGui.exe 87 PID 644 wrote to memory of 4436 644 SchedulerGui.exe 87 PID 644 wrote to memory of 4436 644 SchedulerGui.exe 87 PID 644 wrote to memory of 2772 644 SchedulerGui.exe 90 PID 644 wrote to memory of 2772 644 SchedulerGui.exe 90 PID 644 wrote to memory of 2772 644 SchedulerGui.exe 90 PID 644 wrote to memory of 4088 644 SchedulerGui.exe 89 PID 644 wrote to memory of 4088 644 SchedulerGui.exe 89 PID 644 wrote to memory of 4088 644 SchedulerGui.exe 89 PID 644 wrote to memory of 1948 644 SchedulerGui.exe 88 PID 644 wrote to memory of 1948 644 SchedulerGui.exe 88 PID 644 wrote to memory of 1948 644 SchedulerGui.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=gpu-process --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=9760681122036830057 --mojo-platform-channel-handle=1684 /prefetch:22⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=utility --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=8578118936656016572 --mojo-platform-channel-handle=1952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8573096986799555222 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3512686315433190793 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4000624381867313032 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log
Filesize266B
MD5342b4591cd0bde3246c8977e224c05c4
SHA1b69e9ecc7fa7e12effb4e3c631ac0e8a7aeb0712
SHA25609b999b55f42512196506755a2dddebd628b8be15a2259a037c292af5a186705
SHA512270ccb675aa07bcdc82e99453e9ba5fc6bc22852e977d88e35d85ff0453d205fc5745a861ec12da0bfaee489bf467061cd694836861b0a7fa8a07c8d0be3df73