Analysis

  • max time kernel
    30s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2023, 11:24

General

  • Target

    TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/UserInterface.exe

  • Size

    764KB

  • MD5

    9615be619e53fbc07bbd06d28069580c

  • SHA1

    61bd5fd094c36d534b3f19eb76f102ae54b2c04f

  • SHA256

    dee80f2b345bf19ff8047c53aa074487f14c3e077e2cdec0bba58fa77e69ba66

  • SHA512

    f7a74e7a470c726cc0cdede4f4fd56f294843075918773ce957597a147941bc5d1dc2628ab94df62838cd72d7a92020d3eb4187bf9e01251c2e96bf6d51845da

  • SSDEEP

    12288:ghQwEiCN9hf8b2KQqm5jOqJCoFqrH+ZHeEFFOhNeVCHFp7rTLqM6ETR24mi3OrDI:ghQwEiCN9hf8b2KQqm5jOqJCoFqrH+ZO

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe
    "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=gpu-process --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=9355575520705611108 --mojo-platform-channel-handle=1396 /prefetch:2
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3428
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=utility --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --service-request-channel-token=5978853817981433830 --mojo-platform-channel-handle=1952 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4084
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10012864076507471052 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:4992
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\UserInterface.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --field-trial-handle=1672,4717043912470883285,7761126020060679892,131072 --disable-features=MimeHandlerViewInCrossProcessFrame --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\debug.log" --log-severity=disable --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15803335564430514738 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:1332

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Code Cache\js\index-dir\temp-index

          Filesize

          288B

          MD5

          b7a007f8c19f72433d7aa8733902ccd8

          SHA1

          9af19e1a7254001e742e959f00d6828c077a6e71

          SHA256

          e14a804b9d3aac7fbd67cc6eabdf19a1c5c6920a926441af8b7770aecee910ef

          SHA512

          b7731e5d8565d1ccce5b873e871a007e08643c96a09d97b862f67746ac5bdf3bba350ab8c3cd40168226a602bf69e6e1a659b3a08a0cedfed528aea4f701b6e4

        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Code Cache\js\index-dir\the-real-index~RFe57a77b.TMP

          Filesize

          48B

          MD5

          531b1d6d41c7d873d93c8b8de6e5efb8

          SHA1

          d643d3b50a357c6e059d9d2b1bb1169a33968818

          SHA256

          678f5fa5cb96e94ab3e7713c2802ef95ff0b05c3cfa2894851ad430f4b1f8749

          SHA512

          71d302a3702bc68cea876ed29acb286ea66a69076fbc69bc2e2c5224841be80643f3111fb8512fb0e805caa5e0e85896e71a7fa3118eda6af7b64151d6f36164

        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\Local Storage\leveldb\CURRENT

          Filesize

          16B

          MD5

          46295cac801e5d4857d09837238a6394

          SHA1

          44e0fa1b517dbf802b18faf0785eeea6ac51594b

          SHA256

          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

          SHA512

          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\profile\MANIFEST-000001

          Filesize

          41B

          MD5

          5af87dfd673ba2115e2fcf5cfdb727ab

          SHA1

          d5b5bbf396dc291274584ef71f444f420b6056f1

          SHA256

          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

          SHA512

          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b