Overview
overview
10Static
static
10TwitchFoll...ks.exe
windows10-2004-x64
1TwitchFoll...pt.exe
windows10-2004-x64
1TwitchFoll...pt.exe
windows10-2004-x64
1TwitchFoll...er.exe
windows10-2004-x64
1TwitchFoll...ui.exe
windows10-2004-x64
7TwitchFoll...ce.exe
windows10-2004-x64
7TwitchFoll...er.exe
windows10-2004-x64
1TwitchFoll...er.exe
windows10-2004-x64
7Analysis
-
max time kernel
30s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2023, 11:24
Behavioral task
behavioral1
Sample
TwitchFollowBotbyKuroCracks/Twitch Follow Bot by KuroCracks.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/FastExecuteScript.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/RemoteExecuteScript.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Scheduler.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/SchedulerGui.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/UserInterface.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/Worker.exe
Resource
win10v2004-20230220-en
General
-
Target
TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/UserInterface.exe
-
Size
764KB
-
MD5
9615be619e53fbc07bbd06d28069580c
-
SHA1
61bd5fd094c36d534b3f19eb76f102ae54b2c04f
-
SHA256
dee80f2b345bf19ff8047c53aa074487f14c3e077e2cdec0bba58fa77e69ba66
-
SHA512
f7a74e7a470c726cc0cdede4f4fd56f294843075918773ce957597a147941bc5d1dc2628ab94df62838cd72d7a92020d3eb4187bf9e01251c2e96bf6d51845da
-
SSDEEP
12288:ghQwEiCN9hf8b2KQqm5jOqJCoFqrH+ZHeEFFOhNeVCHFp7rTLqM6ETR24mi3OrDI:ghQwEiCN9hf8b2KQqm5jOqJCoFqrH+ZO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation UserInterface.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation UserInterface.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{392C6A65-FEC0-4E14-B80C-FD8F9CF63E40} UserInterface.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3428 UserInterface.exe 3428 UserInterface.exe 4084 UserInterface.exe 4084 UserInterface.exe 4992 UserInterface.exe 4992 UserInterface.exe 1332 UserInterface.exe 1332 UserInterface.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1900 wrote to memory of 3428 1900 UserInterface.exe 90 PID 1900 wrote to memory of 3428 1900 UserInterface.exe 90 PID 1900 wrote to memory of 3428 1900 UserInterface.exe 90 PID 1900 wrote to memory of 4084 1900 UserInterface.exe 91 PID 1900 wrote to memory of 4084 1900 UserInterface.exe 91 PID 1900 wrote to memory of 4084 1900 UserInterface.exe 91 PID 1900 wrote to memory of 1332 1900 UserInterface.exe 93 PID 1900 wrote to memory of 1332 1900 UserInterface.exe 93 PID 1900 wrote to memory of 1332 1900 UserInterface.exe 93 PID 1900 wrote to memory of 4992 1900 UserInterface.exe 92 PID 1900 wrote to memory of 4992 1900 UserInterface.exe 92 PID 1900 wrote to memory of 4992 1900 UserInterface.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=gpu-process --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=9355575520705611108 --mojo-platform-channel-handle=1396 /prefetch:22⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=utility --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=5978853817981433830 --mojo-platform-channel-handle=1952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10012864076507471052 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15803335564430514738 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Code Cache\js\index-dir\temp-index
Filesize288B
MD5b7a007f8c19f72433d7aa8733902ccd8
SHA19af19e1a7254001e742e959f00d6828c077a6e71
SHA256e14a804b9d3aac7fbd67cc6eabdf19a1c5c6920a926441af8b7770aecee910ef
SHA512b7731e5d8565d1ccce5b873e871a007e08643c96a09d97b862f67746ac5bdf3bba350ab8c3cd40168226a602bf69e6e1a659b3a08a0cedfed528aea4f701b6e4
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Code Cache\js\index-dir\the-real-index~RFe57a77b.TMP
Filesize48B
MD5531b1d6d41c7d873d93c8b8de6e5efb8
SHA1d643d3b50a357c6e059d9d2b1bb1169a33968818
SHA256678f5fa5cb96e94ab3e7713c2802ef95ff0b05c3cfa2894851ad430f4b1f8749
SHA51271d302a3702bc68cea876ed29acb286ea66a69076fbc69bc2e2c5224841be80643f3111fb8512fb0e805caa5e0e85896e71a7fa3118eda6af7b64151d6f36164
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Local Storage\leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b