Analysis
-
max time kernel
33s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20240221-es -
resource tags
arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows -
submitted
03/04/2024, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
TwitchLinkSetup-3.1.3.exe
Resource
win7-20240221-es
Behavioral task
behavioral2
Sample
TwitchLinkSetup-3.1.3.exe
Resource
win10v2004-20240226-es
Errors
General
-
Target
TwitchLinkSetup-3.1.3.exe
-
Size
117.8MB
-
MD5
093b1a9026a8172817cf9a3dac2db344
-
SHA1
1d208075d40bae87b747cd8ce43fbb3882c63f31
-
SHA256
1c331de58c43be0aca0f6a6d5d92c86c09f5709876ab2b0cb8503f83b14ac5b9
-
SHA512
52add0144f334bd618f9cd45f86c308ea6a7799e491da04e0a8ca598903ea4f046f39825c90b79507bd470d94a41dcf6a0bb6128f0b92156ebff6d114a59f99f
-
SSDEEP
3145728:b+TQHR3aIl4cmZrewUgIedp4xWTluuKy5Hbbmb1wA:b+kHR3aO4XYed1luuK4GJ3
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1876 TwitchLinkSetup-3.1.3.tmp 2752 TwitchLink.exe 1684 TwitchLink.exe -
Loads dropped DLL 9 IoCs
pid Process 1956 TwitchLinkSetup-3.1.3.exe 1100 Process not Found 1100 Process not Found 1100 Process not Found 1100 Process not Found 1876 TwitchLinkSetup-3.1.3.tmp 2752 TwitchLink.exe 1100 Process not Found 1684 TwitchLink.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQml\Base\is-IB5AH.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Imagine\is-UVPTP.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Universal\is-S8UB6.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Effects\is-SADDP.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtWebEngine\ControlsDelegates\is-IDKMK.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-1HNFQ.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\is-8BRIG.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Particles3D\designer\images\is-N6H0G.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\is-EKHIJ.tmp TwitchLinkSetup-3.1.3.tmp File opened for modification C:\Program Files (x86)\TwitchLink\Qt6Test.dll TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\is-S437V.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Fusion\is-JHRDM.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Fusion\is-BLSE2.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Dialogs\quickimpl\qml\is-DKVG5.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\designer\is-D9JRE.tmp TwitchLinkSetup-3.1.3.tmp File opened for modification C:\Program Files (x86)\TwitchLink\api-ms-win-core-util-l1-1-0.dll TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\is-R6O8U.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\images\is-TULKV.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Material\impl\is-3V47K.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Physics\designer\images\is-A0G7I.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Material\is-606F6.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\images\is-GTEEB.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\ParticleEffects\designer\source\is-T4CCG.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\is-JRU47.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\is-QB2GL.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-KBH2R.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Universal\is-3GI6O.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Templates\is-RJSRT.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Effects\designer\is-T3UT1.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\images\is-RFEIO.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-1GLII.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Universal\is-M159R.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Universal\is-V3582.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\designer\is-HB5NK.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Effects\is-IDP1M.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Physics\designer\is-A9JQ3.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-LLVTM.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\is-76K57.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\is-MAENQ.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\is-NCMSO.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\qtwebengine_locales\is-QD6R2.tmp TwitchLinkSetup-3.1.3.tmp File opened for modification C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\plugins\iconengines\qsvgicon.dll TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\is-VTQSU.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\images\is-M0D3A.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Shapes\is-JQ8IP.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\designer\is-VEC4I.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-RIN43.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Fusion\impl\is-P0GDU.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Imagine\is-BSN7Q.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Particles3D\designer\is-8N9O6.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\is-OPS4E.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Basic\is-9UE7M.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\is-G8RSO.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\plugins\imageformats\is-OGCVU.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Material\is-56VOA.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Material\is-HM87Q.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Particles3D\designer\is-Q3G6H.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\uic\widget-plugins\__pycache__\is-6UP4M.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\is-LQI0V.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Particles3D\designer\images\is-0HORA.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\images\is-0K549.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Particles3D\designer\is-JP4QR.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Imagine\is-JI0EU.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\designer\is-RPBL4.tmp TwitchLinkSetup-3.1.3.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\is-P7V2F.tmp TwitchLinkSetup-3.1.3.tmp File created C:\Windows\Fonts\is-48TJJ.tmp TwitchLinkSetup-3.1.3.tmp -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000500000001a34e-228.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1876 TwitchLinkSetup-3.1.3.tmp 1876 TwitchLinkSetup-3.1.3.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1876 TwitchLinkSetup-3.1.3.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1956 wrote to memory of 1876 1956 TwitchLinkSetup-3.1.3.exe 28 PID 1876 wrote to memory of 2752 1876 TwitchLinkSetup-3.1.3.tmp 30 PID 1876 wrote to memory of 2752 1876 TwitchLinkSetup-3.1.3.tmp 30 PID 1876 wrote to memory of 2752 1876 TwitchLinkSetup-3.1.3.tmp 30 PID 1876 wrote to memory of 2752 1876 TwitchLinkSetup-3.1.3.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe"C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\is-O4JBG.tmp\TwitchLinkSetup-3.1.3.tmp"C:\Users\Admin\AppData\Local\Temp\is-O4JBG.tmp\TwitchLinkSetup-3.1.3.tmp" /SL5="$4011A,122591767,882176,C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files (x86)\TwitchLink\TwitchLink.exe"C:\Program Files (x86)\TwitchLink\TwitchLink.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752
-
-
-
C:\Program Files (x86)\TwitchLink\TwitchLink.exe"C:\Program Files (x86)\TwitchLink\TwitchLink.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:592
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
375B
MD5762ab24b219270dc7ee7183da2f1ef79
SHA1de4b6ccb4d5b6743903e91915d8ff00e52f1336a
SHA256fbc370c541a931e22eeba5157b47f30fc60c7e29580b9b4904703b6e17910bf3
SHA512c11bae321fe32044d8c7f05590bf30f15585283c0a95ea2a2eac63e3e493bd3386354de050df13b554b197cceebe03069b523286fd3297d16cc0a27072cdc031
-
Filesize
499B
MD573dd25fb185b415c0590f122bf05cf7b
SHA10d268a5bfeaacb8744a9b372409caeb6f1039653
SHA256ac0ced9846290510f32ffb115d29e5329442fec01b6527a863ebf541ca8c8ed5
SHA5127c3d69594d8d73414f3ea35443a7417fe75fed45a0ac6d07f29bebccc119375d6c50a7ca78fc0a349304ce21f71847098e7c83ba9a8b624729ca6bc4e986faad
-
Filesize
253B
MD5bbff95cfc3d26e011d4cd5b6a978625b
SHA16e2c4e01dcc78e1210ec39a236ccb4388a71cd5f
SHA25620367abdb3621f0bbbe473dc2c16708318303c600356dd3a53c9465c8a694e22
SHA5127378c69a5c23a36226c9f82aa2ef7cb693868425989a1baced24b73830917e354949af640b7b5aef82124902275debfba1d8fd46a2767c71189dfc935bcfc738
-
Filesize
1KB
MD563340c8fcb71734ce4bbac29a86821b5
SHA10cfd02b3e95fa482cbd4bd83b0f2d9214acc9709
SHA25678b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8
SHA512fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0
-
Filesize
215B
MD52006d4b7d0da455aa4c7414653c0018a
SHA16685b8360b97799aa4d6b18789bf84a343e9e891
SHA256a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a
SHA512703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84
-
Filesize
494B
MD56fd2055c93332727a0f0a80fbd0a6c9a
SHA1099d4cf01e806280f72afd8e2f2502ae256a82d2
SHA256f09e9acf39237df1404d0bdb520ef0df2d35d9586f519e91416b9c02228252ed
SHA512c839ae74896cb6c0edcaabfd5319bc9af22db94204ab6a025a1488aeb3b0326152e5fc96c3950dc9cda6a493089a4154b188944ca4b367b27fcaaabadcbc14ee
-
Filesize
559B
MD5268ca4343417ef1bbec6111772662306
SHA15180059a57f944bdcd2d55639289ac14bcfc2ba4
SHA256f8d2bf5bc61e2575380c2be7e6516bc0426200025ba333c744d1f212108ffe4f
SHA512c83bbb2807a98255dc3388c4b531c25d4984c77deb71f964f963ad84651fdf52f1ac1213318bf1476da3fc575b86607692657df739ff5218d661b02cab3cc63a
-
Filesize
16B
MD5bcebcf42735c6849bdecbb77451021dd
SHA14884fd9af6890647b7af1aefa57f38cca49ad899
SHA2569959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85
SHA512f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78
-
Filesize
2.5MB
MD55f5fda2e4e2ae2d5e9a56ea48bc20f4b
SHA18a441d171123bf4d3525442f257c804ad419fd2e
SHA256eee2ca9ca6510adf07e9b54241006435bf158b0dcd281020c1975104bff24978
SHA512573e29db6b931c6197981e9499f57fc1ff7af591e2290041a7d18f1e6082804e00fbe3a544a845e7140e568dc05126ab179003c41308a1c754f7ac8d6738935f
-
Filesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
Filesize
4.5MB
MD577c9de73515a7120ac94e052eaa9218e
SHA16b61cdb4fe859e3932437d6d816c1944daeff1b2
SHA25648a28e97b34fc8e5b157657633670cd1b7de126cfc414da65ce9c3d5bc8be733
SHA512b599c4ff53e7cd2a39ffc45c1f8aadb699d64bd710c47345297a66627ce31dd016e3994ccb44bc5e0018b06128474be5f3f76d1fe2d642c5487e127f6e23b119
-
Filesize
94KB
MD53ed9575dcc488c3e3a5bd66620bdf5a4
SHA1babe8dce93a3e48b6c3c79720a0c048e88dd1fe7
SHA256037236ed4bf58a85f67074c165d308260fd6be01c86d7df4e79ea16eb273f8c5
SHA5127ba57687079a7e1d2ac2a64d210753b6014877eeadb6cc4dd86b836f46f7a3b8d34e4350d264f4d7361b1bd4488a1169f0f3cb49a7dcfec0ade9701f4e468416
-
Filesize
3.1MB
MD570c25430b6d04dcae2c5af783176e1f0
SHA1c97e53761a3e15b5f79c2e79a07f1f2fadcb3544
SHA256735430094d5f3ecfb9618756b0161f377dd01ee2a34022b22b84f51129a39b3a
SHA51217d8e661b103635fb6aa66804f9ba694d8250b87fd1595686791d0c17681c0bb60791f6dba60f6e528fe7795e30e15d3fee647aeaff0a412b130606e645fecc4