7bffcfb02a86d4da984c2ba742bc27b4bb62399ed9837b9633cbd116269bc7c5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:36

Target

40a4d62c0a6870c1ed6a2a790c416d2b.exe
Size

89KB
MD5

40a4d62c0a6870c1ed6a2a790c416d2b
SHA1

1d657e60926827b170a41648e0dfccba93b4dd5d
SHA256

7bffcfb02a86d4da984c2ba742bc27b4bb62399ed9837b9633cbd116269bc7c5
SHA512

e7522cfc99f636dd731d667e8a3b7edbe3a6418172cb0164dd07919841380eef9e42dea08209e38206771d5c36e26819e7afb4d13ff6afc467583459e051c58b
SSDEEP

1536:zgaLdNo2yb3wyNFeQsJ1EOCCovlzFgEOHgq9s+4sZH9WuBik0XFPTbMpMOc5eg+x:rLPo22jeQGaOloNzaW6ukQbI50eEZgC

Score

4^/10

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\glok+66e1-35a3.sys	40a4d62c0a6870c1ed6a2a790c416d2b.exe
File created	C:\Windows\glok+serv.config	40a4d62c0a6870c1ed6a2a790c416d2b.exe
File opened for modification	C:\Windows\glok+serv.config	40a4d62c0a6870c1ed6a2a790c416d2b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1720	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	19
PID 1960 wrote to memory of 1720	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	19
PID 1960 wrote to memory of 1720	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	19
PID 1960 wrote to memory of 1720	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	19
PID 1960 wrote to memory of 1752	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	18
PID 1960 wrote to memory of 1752	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	18
PID 1960 wrote to memory of 1752	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	18
PID 1960 wrote to memory of 1752	1960	40a4d62c0a6870c1ed6a2a790c416d2b.exe	18
PID 1720 wrote to memory of 2916	1720	w32tm.exe	15
PID 1720 wrote to memory of 2916	1720	w32tm.exe	15
PID 1720 wrote to memory of 2916	1720	w32tm.exe	15
PID 1720 wrote to memory of 2916	1720	w32tm.exe	15
PID 1752 wrote to memory of 2768	1752	w32tm.exe	14
PID 1752 wrote to memory of 2768	1752	w32tm.exe	14
PID 1752 wrote to memory of 2768	1752	w32tm.exe	14
PID 1752 wrote to memory of 2768	1752	w32tm.exe	14

C:\Windows\system32\w32tm.exe
w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
1⤵
PID:2916

C:\Windows\SysWOW64\w32tm.exe
w32tm /config /update
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\w32tm.exe
w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\glok+serv.config

Filesize
7KB

MD5
d6d341f15b40bcebf523927ce3e1e3f6

SHA1
eaaee7cda09efdc3a2dd3c2271a7a2c757316728

SHA256
ea1e43cf75745071db95953557013fcc4d84d097f7f183ea78c0d600046366e9

SHA512
04e3125ff58ef75c133b8dccfef06670ba228d82513e19e6934d4f43f03ba00e28e2b27bd66070df2352f9dfafdaee90fc28256cd8dc5af1901cf9fe674ad9bc

Download Submit