TsQBDrv[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

TsQBDrv.sys
Size

239KB
MD5

5471c41e98ead2eca3a17b8ced344aac
SHA1

640557c2810a7ee170b4cdb0991e867512a166d4
SHA256

2203a9066885427b8f1fdeadb9667fb119c4fce257832b1c7d2482693342d89c
SHA512

a6d13672225db5acd45b17fcd9dda32b4cfc0894ef4af4c9aab06c021f5fdb40cb5c1e26a55d024d28b0134ce3bdfabb0b49f2a95eaac499f2535f12b5ef0b6c
SSDEEP

3072:10adnAn89JgcA+84i6FdB1hi2uIuzbn6Cm5/f9YceB3+6QQ+tlX2vmMA1O1GeXSu:bdAnUCIHfB1o2FQ6/f90Bu6QL0AO3

Score

N/A

Malware Config

Signatures

Files

TsQBDrv.sys
.exe windows x86

65aae959c8b066519ee24856a75a943e

Code Sign

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:41

Not After

15/04/2021, 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:ea:62:e4:43:cb:22:50:c8:70:ff:6b:b1:3b:a9:8e
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

14/01/2020, 00:00

Not After

20/01/2021, 12:00

Subject

CN=Tencent Technology(Shenzhen) Company Limited,O=Tencent Technology(Shenzhen) Company Limited,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

Issuer

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2014, 00:00

Not After

22/10/2024, 00:00

Subject

CN=DigiCert Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2021, 00:00

Subject

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:3b:cd:6b:d8:3b:c6:71:b8:fe:00:00:00:00:00:3b
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11/03/2020, 17:31

Not After

05/03/2021, 17:31

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

92:bd:d2:32:ce:de:b1:6c:74:e9:6d:ee:a4:61:66:d0:c8:48:9b:02:cd:55:28:9d:69:8b:eb:fa:a0:5b:1c:78
Signer

Actual PE Digest

92:bd:d2:32:ce:de:b1:6c:74:e9:6d:ee:a4:61:66:d0:c8:48:9b:02:cd:55:28:9d:69:8b:eb:fa:a0:5b:1c:78

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

15/09/2022, 14:52
Valid: false

b0:41:c8:bf:02:ae:93:ea:a1:66:77:7f:e2:1f:65:30:94:1c:4c:95
Signer

Actual PE Digest

b0:41:c8:bf:02:ae:93:ea:a1:66:77:7f:e2:1f:65:30:94:1c:4c:95

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Tencent Technology(Shenzhen) Company Limited,O=Tencent Technology(Shenzhen) Company Limited,L=Shenzhen,ST=Guangdong,C=CN

06/08/2020, 02:47
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

IoFreeMdl
MmUnmapLockedPages
ZwClose
ObfDereferenceObject
KeWaitForSingleObject
ObReferenceObjectByHandle
KeSetEvent
RtlCreateUnicodeString
ZwQueryValueKey
ZwOpenKey
_wcsupr
ProbeForRead
RtlUnicodeStringToInteger
_wcsnicmp
RtlUnicodeStringToAnsiString
RtlUpperString
ZwDeleteFile
PsLookupProcessByProcessId
PsLookupThreadByThreadId
MmUserProbeAddress
RtlEqualUnicodeString
PsGetProcessPeb
KeUnstackDetachProcess
ZwFreeVirtualMemory
KeInsertQueueApc
KeInitializeApc
ZwAllocateVirtualMemory
KeGetCurrentThread
KeStackAttachProcess
IoGetCurrentProcess
PsTerminateSystemThread
PsCreateSystemThread
IoDriverObjectType
ExGetPreviousMode
NtClose
ObOpenObjectByName
DbgPrint
KeTickCount
KeBugCheckEx
ExFreePool
memset
memcpy
RtlInitUnicodeString
MmGetSystemRoutineAddress
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlGetVersion
InitSafeBootMode
ExAllocatePoolWithTag
KeInitializeEvent
CmRegisterCallback
MmIsAddressValid
ZwReadFile
ZwQueryInformationFile
IoCreateFile
PsGetCurrentProcessId
RtlCompareMemory
RtlCopyUnicodeString
ObQueryNameString
PsGetCurrentThreadId
ExFreePoolWithTag
ZwCreateFile
ZwWriteFile
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlUpcaseUnicodeChar
ZwMapViewOfSection
ZwCreateSection
ZwUnmapViewOfSection
RtlFreeAnsiString
FsRtlIsNameInExpression
FsRtlIsDbcsInExpression
PsInitialSystemProcess
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
KeServiceDescriptorTable
IoGetBaseFileSystemDeviceObject
IoFileObjectType
ObReferenceObjectByName
RtlPrefixUnicodeString
PsProcessType
ObOpenObjectByPointer
RtlUnicodeToMultiByteN
KeQueryTimeIncrement
KeRemoveQueueDpc
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeInitializeDpc
KeNumberProcessors
MmPrefetchPages
RtlWriteRegistryValue
RtlQueryRegistryValues
ProbeForWrite
RtlUpcaseUnicodeString
PsDereferencePrimaryToken
SeTokenIsAdmin
PsReferencePrimaryToken
ObfReferenceObject
RtlCompareUnicodeString
MmUnlockPages
FsRtlGetFileSize
ZwFlushKey
ZwQueryKey
RtlImageNtHeader
KeDelayExecutionThread
ExSystemTimeToLocalTime
KeQuerySystemTime
IoCreateSymbolicLink
IoDeleteDevice
IoRegisterLastChanceShutdownNotification
IoCreateDevice
IoDeleteSymbolicLink
MmBuildMdlForNonPagedPool
ZwSetEvent
ZwOpenEvent
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
MmHighestUserAddress
IoDetachDevice
IofCallDriver
RtlUnwind
RtlAnsiCharToUnicodeChar
CmUnRegisterCallback
ZwOpenFile
IofCompleteRequest

hal

KfLowerIrql
KeRaiseIrqlToDpcLevel
KfRaiseIrql
ExReleaseFastMutex
ExAcquireFastMutex
ExTryToAcquireFastMutex
KeGetCurrentIrql

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltRegisterFilter
FltQueryInformationFile
FltSetInformationFile
FltCreateFile
FltClose

Sections

.text
Size: 135KB - Virtual size: 135KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 896B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

65aae959c8b066519ee24856a75a943e

Code Sign

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

01:ea:62:e4:43:cb:22:50:c8:70:ff:6b:b1:3b:a9:8eCertificate

Extended Key Usages

Key Usages

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66Certificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1bCertificate

Extended Key Usages

Key Usages

33:00:00:00:3b:cd:6b:d8:3b:c6:71:b8:fe:00:00:00:00:00:3bCertificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

92:bd:d2:32:ce:de:b1:6c:74:e9:6d:ee:a4:61:66:d0:c8:48:9b:02:cd:55:28:9d:69:8b:eb:fa:a0:5b:1c:78Signer

Signature Validations

Verification

15/09/2022, 14:52 Valid: false

b0:41:c8:bf:02:ae:93:ea:a1:66:77:7f:e2:1f:65:30:94:1c:4c:95Signer

Signature Validations

Verification

06/08/2020, 02:47 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 135KB - Virtual size: 135KB

.rdata Size: 15KB - Virtual size: 14KB

.data Size: 45KB - Virtual size: 45KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 896B - Virtual size: 896B

.reloc Size: 8KB - Virtual size: 7KB

61:1c:b2:8a:00:00:00:00:00:26
Certificate

01:ea:62:e4:43:cb:22:50:c8:70:ff:6b:b1:3b:a9:8e
Certificate

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

33:00:00:00:3b:cd:6b:d8:3b:c6:71:b8:fe:00:00:00:00:00:3b
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

92:bd:d2:32:ce:de:b1:6c:74:e9:6d:ee:a4:61:66:d0:c8:48:9b:02:cd:55:28:9d:69:8b:eb:fa:a0:5b:1c:78
Signer

15/09/2022, 14:52
Valid: false

b0:41:c8:bf:02:ae:93:ea:a1:66:77:7f:e2:1f:65:30:94:1c:4c:95
Signer

06/08/2020, 02:47
Valid: false

.text
Size: 135KB - Virtual size: 135KB

.rdata
Size: 15KB - Virtual size: 14KB

.data
Size: 45KB - Virtual size: 45KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 896B - Virtual size: 896B

.reloc
Size: 8KB - Virtual size: 7KB