Analysis

  • max time kernel
    25s
  • max time network
    89s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2023, 11:24

General

  • Target

    TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/SchedulerGui.exe

  • Size

    461KB

  • MD5

    ccdee9e578fb9eb21a5fcec5d43e8de0

  • SHA1

    4a580c2e39fafaf44f12d5a64556be96f65dff39

  • SHA256

    7d3995e87417dfeb1c644a20c46805220876adc0f6a4a6c1fa81cfe92ead70a2

  • SHA512

    37c44c801a86a52d2a1dd8236bd13f2c213f97741e5496f6ac9649f16fb2e67440ea3af359970e332790adebd724030e98e9387f08b2f691eaae93c6787c6d5c

  • SSDEEP

    6144:nLfZUwjyln1IjkyhopbIHa2jijA0D8CNrepZYTTAOT3TwEif7:LfZUwjan1whyELjOrepZYXVDif7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
    "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=gpu-process --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=9760681122036830057 --mojo-platform-channel-handle=1684 /prefetch:2
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:4780
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=utility --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=8578118936656016572 --mojo-platform-channel-handle=1952 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4436
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8573096986799555222 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:1948
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3512686315433190793 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:4088
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\SchedulerGui.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1676,8705712873571028478,2823406586980593402,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4000624381867313032 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:2772

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log

          Filesize

          266B

          MD5

          342b4591cd0bde3246c8977e224c05c4

          SHA1

          b69e9ecc7fa7e12effb4e3c631ac0e8a7aeb0712

          SHA256

          09b999b55f42512196506755a2dddebd628b8be15a2259a037c292af5a186705

          SHA512

          270ccb675aa07bcdc82e99453e9ba5fc6bc22852e977d88e35d85ff0453d205fc5745a861ec12da0bfaee489bf467061cd694836861b0a7fa8a07c8d0be3df73