0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:55

Target

0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe
Size

3.2MB
MD5

155e16019558e8a41d1382c5498aa900
SHA1

2ea096ebbc9ab8c91f875577a1918c981e756709
SHA256

0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d
SHA512

9acf897531d232ef467175809d72e5e59731b041eee884e03500cfec60797c05466e1eb9d5d56d340152adaaef4a0458d4f36c99f15243892d00958003d364d6
SSDEEP

98304:arV3OZUAi8I8WdPjTgdnw9FpGpZjoDa35QGBpKiH:alOZUAizNwG2DjAI5QGLKiH

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

Thwinst.exe

pid process

2140 Thwinst.exe

pid	process
2140	Thwinst.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4836-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4836-1-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe

description	pid	process	target process
PID 4836 wrote to memory of 2140	4836	0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe	Thwinst.exe
PID 4836 wrote to memory of 2140	4836	0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe	Thwinst.exe
PID 4836 wrote to memory of 2140	4836	0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe	Thwinst.exe

C:\Users\Admin\AppData\Local\Temp\0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe
"C:\Users\Admin\AppData\Local\Temp\0de59200b40bb57d634a7b174625cec26cf17db9087eead5dfcf6e0457c9631d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\7zS32D3.tmp\Thwinst.exe
.\Thwinst.exe /T:C:\Users\Admin\AppData\Local\Temp\7zS32D3.tmp
2⤵
- Executes dropped EXE
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\7zS32D3.tmp\ThwInst.exe

Filesize
37KB

MD5
82d3288b24a7511c29e93d09de1e3988

SHA1
4aa38138b51ff9719b8088f262573a660689a912

SHA256
3701970b5d46b3bc54daaadb0fa36cd96deeb62db9483a6f1f83bb11474b77d5

SHA512
fc740c044dc1c4d3eb247397df5b042dc96a3aa8486b3da14db2c042f95efa5c3bc3eb5aa152869dc6983cf8b6b4b1cc1e973807b92ee916c64dfa6601e06313

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS32D3.tmp\Thwinst.inf

Filesize
524B

MD5
842ef4ef653f71c0d52864d7c9ba1c7b

SHA1
99a8df25cc2261374d738d30d89052ec0090d122

SHA256
89411cd4e49aa85e6622a7077bc0ac670b5a84ae3d55e89c818caf678611206d

SHA512
58233ffe7f5c807a2e7906e05c65cd9eebd1201139307b6874b177eb58979e48478c2418d02f2d159a07102546c46733307275d16ff434e473f67806d078a3cd

Download Submit
memory/4836-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4836-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download