Analysis

  • max time kernel
    33s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20240221-es
  • resource tags

    arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    03/04/2024, 10:56

Errors

Reason
Machine shutdown

General

  • Target

    TwitchLinkSetup-3.1.3.exe

  • Size

    117.8MB

  • MD5

    093b1a9026a8172817cf9a3dac2db344

  • SHA1

    1d208075d40bae87b747cd8ce43fbb3882c63f31

  • SHA256

    1c331de58c43be0aca0f6a6d5d92c86c09f5709876ab2b0cb8503f83b14ac5b9

  • SHA512

    52add0144f334bd618f9cd45f86c308ea6a7799e491da04e0a8ca598903ea4f046f39825c90b79507bd470d94a41dcf6a0bb6128f0b92156ebff6d114a59f99f

  • SSDEEP

    3145728:b+TQHR3aIl4cmZrewUgIedp4xWTluuKy5Hbbmb1wA:b+kHR3aO4XYed1luuK4GJ3

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe
    "C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\is-O4JBG.tmp\TwitchLinkSetup-3.1.3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O4JBG.tmp\TwitchLinkSetup-3.1.3.tmp" /SL5="$4011A,122591767,882176,C:\Users\Admin\AppData\Local\Temp\TwitchLinkSetup-3.1.3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Program Files (x86)\TwitchLink\TwitchLink.exe
        "C:\Program Files (x86)\TwitchLink\TwitchLink.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2752
  • C:\Program Files (x86)\TwitchLink\TwitchLink.exe
    "C:\Program Files (x86)\TwitchLink\TwitchLink.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1684
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:592
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2904

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\images\is-RRUDM.tmp

              Filesize

              375B

              MD5

              762ab24b219270dc7ee7183da2f1ef79

              SHA1

              de4b6ccb4d5b6743903e91915d8ff00e52f1336a

              SHA256

              fbc370c541a931e22eeba5157b47f30fc60c7e29580b9b4904703b6e17910bf3

              SHA512

              c11bae321fe32044d8c7f05590bf30f15585283c0a95ea2a2eac63e3e493bd3386354de050df13b554b197cceebe03069b523286fd3297d16cc0a27072cdc031

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\images\is-UHNUR.tmp

              Filesize

              499B

              MD5

              73dd25fb185b415c0590f122bf05cf7b

              SHA1

              0d268a5bfeaacb8744a9b372409caeb6f1039653

              SHA256

              ac0ced9846290510f32ffb115d29e5329442fec01b6527a863ebf541ca8c8ed5

              SHA512

              7c3d69594d8d73414f3ea35443a7417fe75fed45a0ac6d07f29bebccc119375d6c50a7ca78fc0a349304ce21f71847098e7c83ba9a8b624729ca6bc4e986faad

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick3D\Helpers\designer\images\is-VCT7M.tmp

              Filesize

              253B

              MD5

              bbff95cfc3d26e011d4cd5b6a978625b

              SHA1

              6e2c4e01dcc78e1210ec39a236ccb4388a71cd5f

              SHA256

              20367abdb3621f0bbbe473dc2c16708318303c600356dd3a53c9465c8a694e22

              SHA512

              7378c69a5c23a36226c9f82aa2ef7cb693868425989a1baced24b73830917e354949af640b7b5aef82124902275debfba1d8fd46a2767c71189dfc935bcfc738

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Universal\is-364OU.tmp

              Filesize

              1KB

              MD5

              63340c8fcb71734ce4bbac29a86821b5

              SHA1

              0cfd02b3e95fa482cbd4bd83b0f2d9214acc9709

              SHA256

              78b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8

              SHA512

              fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\Windows\is-G3QFK.tmp

              Filesize

              215B

              MD5

              2006d4b7d0da455aa4c7414653c0018a

              SHA1

              6685b8360b97799aa4d6b18789bf84a343e9e891

              SHA256

              a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

              SHA512

              703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\is-NHT64.tmp

              Filesize

              494B

              MD5

              6fd2055c93332727a0f0a80fbd0a6c9a

              SHA1

              099d4cf01e806280f72afd8e2f2502ae256a82d2

              SHA256

              f09e9acf39237df1404d0bdb520ef0df2d35d9586f519e91416b9c02228252ed

              SHA512

              c839ae74896cb6c0edcaabfd5319bc9af22db94204ab6a025a1488aeb3b0326152e5fc96c3950dc9cda6a493089a4154b188944ca4b367b27fcaaabadcbc14ee

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\qml\QtQuick\Controls\designer\is-OODT7.tmp

              Filesize

              559B

              MD5

              268ca4343417ef1bbec6111772662306

              SHA1

              5180059a57f944bdcd2d55639289ac14bcfc2ba4

              SHA256

              f8d2bf5bc61e2575380c2be7e6516bc0426200025ba333c744d1f212108ffe4f

              SHA512

              c83bbb2807a98255dc3388c4b531c25d4984c77deb71f964f963ad84651fdf52f1ac1213318bf1476da3fc575b86607692657df739ff5218d661b02cab3cc63a

            • C:\Program Files (x86)\TwitchLink\PyQt6\Qt6\translations\is-RV7HI.tmp

              Filesize

              16B

              MD5

              bcebcf42735c6849bdecbb77451021dd

              SHA1

              4884fd9af6890647b7af1aefa57f38cca49ad899

              SHA256

              9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

              SHA512

              f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

            • C:\Program Files (x86)\TwitchLink\TwitchLink.exe

              Filesize

              2.5MB

              MD5

              5f5fda2e4e2ae2d5e9a56ea48bc20f4b

              SHA1

              8a441d171123bf4d3525442f257c804ad419fd2e

              SHA256

              eee2ca9ca6510adf07e9b54241006435bf158b0dcd281020c1975104bff24978

              SHA512

              573e29db6b931c6197981e9499f57fc1ff7af591e2290041a7d18f1e6082804e00fbe3a544a845e7140e568dc05126ab179003c41308a1c754f7ac8d6738935f

            • C:\Program Files (x86)\TwitchLink\python311.dll

              Filesize

              5.5MB

              MD5

              5a5dd7cad8028097842b0afef45bfbcf

              SHA1

              e247a2e460687c607253949c52ae2801ff35dc4a

              SHA256

              a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

              SHA512

              e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

            • C:\Program Files (x86)\TwitchLink\resources\fonts\NanumGothic.ttf

              Filesize

              4.5MB

              MD5

              77c9de73515a7120ac94e052eaa9218e

              SHA1

              6b61cdb4fe859e3932437d6d816c1944daeff1b2

              SHA256

              48a28e97b34fc8e5b157657633670cd1b7de126cfc414da65ce9c3d5bc8be733

              SHA512

              b599c4ff53e7cd2a39ffc45c1f8aadb699d64bd710c47345297a66627ce31dd016e3994ccb44bc5e0018b06128474be5f3f76d1fe2d642c5487e127f6e23b119

            • C:\Program Files (x86)\TwitchLink\resources\fonts\OpenSans-Regular.ttf

              Filesize

              94KB

              MD5

              3ed9575dcc488c3e3a5bd66620bdf5a4

              SHA1

              babe8dce93a3e48b6c3c79720a0c048e88dd1fe7

              SHA256

              037236ed4bf58a85f67074c165d308260fd6be01c86d7df4e79ea16eb273f8c5

              SHA512

              7ba57687079a7e1d2ac2a64d210753b6014877eeadb6cc4dd86b836f46f7a3b8d34e4350d264f4d7361b1bd4488a1169f0f3cb49a7dcfec0ade9701f4e468416

            • \Users\Admin\AppData\Local\Temp\is-O4JBG.tmp\TwitchLinkSetup-3.1.3.tmp

              Filesize

              3.1MB

              MD5

              70c25430b6d04dcae2c5af783176e1f0

              SHA1

              c97e53761a3e15b5f79c2e79a07f1f2fadcb3544

              SHA256

              735430094d5f3ecfb9618756b0161f377dd01ee2a34022b22b84f51129a39b3a

              SHA512

              17d8e661b103635fb6aa66804f9ba694d8250b87fd1595686791d0c17681c0bb60791f6dba60f6e528fe7795e30e15d3fee647aeaff0a412b130606e645fecc4

            • memory/592-3570-0x00000000033D0000-0x00000000033D1000-memory.dmp

              Filesize

              4KB

            • memory/1684-3569-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

            • memory/1876-387-0x0000000000400000-0x0000000000720000-memory.dmp

              Filesize

              3.1MB

            • memory/1876-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

              Filesize

              4KB

            • memory/1876-3563-0x0000000000400000-0x0000000000720000-memory.dmp

              Filesize

              3.1MB

            • memory/1956-377-0x0000000000400000-0x00000000004E5000-memory.dmp

              Filesize

              916KB

            • memory/1956-1-0x0000000000400000-0x00000000004E5000-memory.dmp

              Filesize

              916KB

            • memory/1956-3564-0x0000000000400000-0x00000000004E5000-memory.dmp

              Filesize

              916KB

            • memory/2752-3566-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

            • memory/2904-3571-0x0000000002B20000-0x0000000002B21000-memory.dmp

              Filesize

              4KB