Analysis

  • max time kernel
    30s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2023, 11:24

General

  • Target

    TwitchFollowBotbyKuroCracks/appslocal/e3b0c442/SID8dd4cb65/engine/Worker/chrome/worker.exe

  • Size

    1.9MB

  • MD5

    cab3a38853334650446f70cdff88f647

  • SHA1

    3ec82389402f0c0423c0753217f628d2ea7da445

  • SHA256

    bf4069a45216189986296a5cef999ff8872eeeb7ac7ab13a5e84b27511e36841

  • SHA512

    fbecc0369d725a24205d70eaf3cdad76ed0ebc009f346900f9c76e8674bfd2c9df3723a18f7d25b6a13aac277895a4f426ddb21c060291c110a4bdd41869b792

  • SSDEEP

    24576:n0vN2iVRj8jl/e6udnzF4D+i8gdsVASn+F/mSts6fwMUyudf2XTQ50h6rw+EwhW:0vN2Wh8j2WdOn+FuStKMUyWf2X16kmW

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
    "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe"
    1⤵
    • Checks computer location settings
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
      "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:2
      2⤵
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
        "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:8
        2⤵
          PID:1416
        • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
          "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:8
          2⤵
            PID:2108
          • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
            "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=renderer --display-capture-permissions-policy-allowed --event-path-policy=0 --first-renderer-process --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\gen" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:1
            2⤵
            • Checks computer location settings
            PID:5036
          • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
            "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=renderer --display-capture-permissions-policy-allowed --event-path-policy=0 --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\gen" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:1
            2⤵
            • Checks computer location settings
            PID:2020
          • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
            "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=renderer --display-capture-permissions-policy-allowed --event-path-policy=0 --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\gen" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:1
            2⤵
            • Checks computer location settings
            PID:1748
          • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
            "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:8
            2⤵
              PID:1376
            • C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe
              "C:\Users\Admin\AppData\Local\Temp\TwitchFollowBotbyKuroCracks\appslocal\e3b0c442\SID8dd4cb65\engine\Worker\chrome\worker.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1760,i,4194438028072027383,4315811812734108338,131072 /prefetch:8
              2⤵
                PID:4368

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Cache\Cache_Data\data_0

                    Filesize

                    8KB

                    MD5

                    cf89d16bb9107c631daabf0c0ee58efb

                    SHA1

                    3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                    SHA256

                    d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                    SHA512

                    8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Cache\Cache_Data\data_1

                    Filesize

                    264KB

                    MD5

                    f09ac30a2471f5e3e5f3d26162134295

                    SHA1

                    f3ba74c0f73fde7b994fac9679bbd117475e140e

                    SHA256

                    4a156b4e3fdc3b35693b04deb539cb8e7a17c6ef52152392cf24886005dccb65

                    SHA512

                    bfb8f63adcebb55ebbcc1704729fade56a3447330fcce7c77c30f86f7bf68b6adefd91db363026047ddce7ac22418a8224d9a6da9da8b457f48c0176193d83b7

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Cache\Cache_Data\data_2

                    Filesize

                    8KB

                    MD5

                    0962291d6d367570bee5454721c17e11

                    SHA1

                    59d10a893ef321a706a9255176761366115bedcb

                    SHA256

                    ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                    SHA512

                    f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Cache\Cache_Data\data_3

                    Filesize

                    8KB

                    MD5

                    41876349cb12d6db992f1309f22df3f0

                    SHA1

                    5cf26b3420fc0302cd0a71e8d029739b8765be27

                    SHA256

                    e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                    SHA512

                    e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Sync Data\LevelDB\CURRENT

                    Filesize

                    16B

                    MD5

                    46295cac801e5d4857d09837238a6394

                    SHA1

                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                    SHA256

                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                    SHA512

                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

                    Filesize

                    41B

                    MD5

                    5af87dfd673ba2115e2fcf5cfdb727ab

                    SHA1

                    d5b5bbf396dc291274584ef71f444f420b6056f1

                    SHA256

                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                    SHA512

                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Default\bad02175-9733-47e0-b4e5-44aacb4fa1f4.tmp

                    Filesize

                    193KB

                    MD5

                    e58af2fb17f6fa95b22d07641ed76833

                    SHA1

                    8c6871e8da0e6f4c8757891fa81df66b85d2aabc

                    SHA256

                    f6c9b55ea91997d180647b1c0651e906bb06bf8cca559d5bc661f9eecf8e1e05

                    SHA512

                    e873b9f73d419c149a39728a65adb87417a5f798145b20d9b91552b5ee7a7db3ee8c7709eef9c4715c25e9a02804c765118a26198663b3fa18cb2d8f4b9e8e6d

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Local State

                    Filesize

                    1KB

                    MD5

                    14f33dbf645837ba4e73352a78ee7d48

                    SHA1

                    28fd6a406171eb2cb43b1708077a96f70c967f57

                    SHA256

                    ff75da97821aa2bcc9bbc30f0c99eb19ae736bff94399cb0a9e417cb8d56dfd5

                    SHA512

                    4b7ed1073a62d333a2e0c468338653ccba8b17b9232a71bd43ff70ed934b72481248b8c494f9054b57e2b58589c51df8045d33d867083e086d14d7d5f9ddb17f

                  • C:\Users\Admin\AppData\Local\Chromium\User Data\Local State~RFe57276e.TMP

                    Filesize

                    862B

                    MD5

                    08ee33411d7e2ccb5b4b215c2a0c6eb8

                    SHA1

                    720082bd48766e1ea4d3a860f18e47be91b1383c

                    SHA256

                    f3f136b27ef6d038cfd3d75e14b54d56df2d52078db0b9a79ae0447c2d4ae43e

                    SHA512

                    28f36d304773a6f8b09aa8981d50450ae2ec012e999dc25ed91c2f56e2c3caf0b188d09834acf22c4649e5f040819aa97edaee9d8f391cad88abd7c249049af6