97a3065a63a37ee52da22a06747fc97f80ed83ae7cc6b562dd86c01e10367897

Sharing

Copy URL Twitter E-mail

General

Target

97a3065a63a37ee52da22a06747fc97f80ed83ae7cc6b562dd86c01e10367897
Size

379KB
MD5

a0eefa867f0049f0b46320b15f248b1f
SHA1

d95cfba03ecee9d6be81b2534ee326259dbb4b89
SHA256

97a3065a63a37ee52da22a06747fc97f80ed83ae7cc6b562dd86c01e10367897
SHA512

90749ce62b96cfe9b260bf64902149d26d5f709566c861ddeb28f15790b34d1cb7ac99ede26a43e320eea4cc8f53234118459da90f61127a0423fad18a6e9688
SSDEEP

6144:xl0m0by6N2mbEvfJLaFvft7sBGnXjxAXmxCx2LYW2Tz0tfT+zSyrBwsQXF4Mbshp:C3K0RQTzXA1KlwD3MjfK/y

Score

N/A

Malware Config

Signatures

Files

97a3065a63a37ee52da22a06747fc97f80ed83ae7cc6b562dd86c01e10367897
.exe windows x86

7dda45a51b958a5dc7799e1d3bc2ca16

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ExReleaseResourceLite
ExAllocatePoolWithTag
memcpy
ZwClose
ZwDuplicateObject
ExFreePoolWithTag
RtlEqualUnicodeString
IoFileObjectType
SeQueryInformationToken
SeReleaseSubjectContext
SeCaptureSubjectContext
KeReleaseGuardedMutex
KeAcquireGuardedMutex
IoWMIWriteEvent
MmGetSystemRoutineAddress
RtlInitUnicodeString
RtlCompareMemory
IoWMIRegistrationControl
IofCompleteRequest
IofCallDriver
KeLeaveCriticalRegion
KeEnterCriticalRegion
RtlSetDaclSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlLengthSid
SeAccessCheck
DbgPrint
ExDeleteResourceLite
KeBugCheckEx
ExDeleteNPagedLookasideList
ExDeletePagedLookasideList
IoRegisterShutdownNotification
KeInitializeGuardedMutex
ExInitializeNPagedLookasideList
ExInitializePagedLookasideList
ExFreePool
SeExports
ExInitializeResourceLite
InterlockedPopEntrySList
InterlockedPushEntrySList
KeWaitForSingleObject
KeQuerySystemTime
SeTokenIsAdmin
RtlAppendUnicodeStringToString
ExIsResourceAcquiredExclusiveLite
ExAcquireResourceExclusiveLite
RtlCompareUnicodeString
IoGetTopLevelIrp
KeSetEvent
RtlCopyUnicodeString
KeReadStateEvent
IoCancelIrp
IoFreeMdl
KeAreAllApcsDisabled
MmBuildMdlForNonPagedPool
IoAllocateMdl
MmMapLockedPagesSpecifyCache
ExIsResourceAcquiredSharedLite
FsRtlDoesNameContainWildCards
RtlUpcaseUnicodeChar
IoFreeIrp
IoReleaseCancelSpinLock
IoAcquireCancelSpinLock
IoAllocateIrp
FsRtlNotifyInitializeSync
FsRtlNotifyUninitializeSync
FsRtlNotifyFilterChangeDirectory
FsRtlNotifyFullReportChange
FsRtlNotifyCleanup
FsRtlNotifyCleanupAll
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
memmove
ZwQueryValueKey
RtlUnicodeStringToInteger
ZwSetValueKey
ZwDeleteValueKey
ZwCreateKey
RtlIntegerToUnicodeString
ZwQueryLicenseValue
RtlPrefixUnicodeString
ZwDeleteKey
ExInitializeRundownProtection
ExAcquireRundownProtection
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
KeResetEvent
ExReleaseRundownProtection
FsRtlFreeExtraCreateParameter
FsRtlRemoveExtraCreateParameter
FsRtlInsertExtraCreateParameter
FsRtlAllocateExtraCreateParameter
FsRtlFreeExtraCreateParameterList
IoSetIrpExtraCreateParameter
FsRtlAllocateExtraCreateParameterList
IoGetIrpExtraCreateParameter
FsRtlFindExtraCreateParameter
RtlFreeUnicodeString
RtlEqualSid
RtlDuplicateUnicodeString
_aulldiv
KeTickCount
RtlUnwind
KeInitializeEvent
FsRtlCancellableWaitForSingleObject
DbgPrintEx
ExEventObjectType
ObReferenceObjectByHandle
KeInitializeQueue
KeRundownQueue
KeRemoveQueue
MmSystemRangeStart
KeInsertQueue
ZwAllocateVirtualMemory
KeGetCurrentThread
MmUnmapLockedPages
ZwFreeVirtualMemory
RtlAnsiCharToUnicodeChar
RtlValidRelativeSecurityDescriptor
RtlValidSid
ExGetPreviousMode
IoGetRequestorProcess
IoGetRequestorProcessId
MmUserProbeAddress
ProbeForRead
ProbeForWrite
CcPinRead
CcSetDirtyPinnedData
CcUnpinData
RtlTestBit
RtlInitializeBitMap
RtlSetBit
RtlStringFromGUID
ExUuidCreate
KeDelayExecutionThread
ZwQueryVolumeInformationFile
KeBugCheck
ZwFlushBuffersFile
IoCreateFile
ZwSetInformationFile
ZwQueryInformationFile
ZwQueryDirectoryFile
ZwSetEaFile
ZwQueryEaFile
IoRetrievePriorityInfo
IoSetIoPriorityHint
IoSetCompletionRoutineEx
MmProbeAndLockPages
MmUnlockPages
SeCreateClientSecurity
PsDereferencePrimaryToken
PsDereferenceImpersonationToken
SeImpersonateClientEx
PsRevertToSelf
ZwCreateFile
KeSetKernelStackSwapEnable
KeExpandKernelStackAndCalloutEx
IoGetCurrentProcess
IoSetTopLevelIrp
IoGetStackLimits
IoGetRelatedDeviceObject
RtlAbsoluteToSelfRelativeSD
RtlLengthRequiredSid
RtlInitializeSid
RtlSubAuthoritySid
SeTokenType
SePrivilegeCheck
ZwWaitForSingleObject
PsCreateSystemThread
KeWaitForMultipleObjects
RtlEqualString
RtlAssert
RtlValidateUnicodeString
ObfDereferenceObject
memset
ExAcquireResourceSharedLite
ExReleaseFastMutexUnsafe
KeAreApcsDisabled
ExAcquireFastMutexUnsafe
ZwOpenKey

hal

KfAcquireSpinLock
ExReleaseFastMutex
KeGetCurrentIrql
KfReleaseSpinLock
ExAcquireFastMutex

rdbss.sys

RxUnOrphanCredential
RxOrphanCredential
RxIsCompatibleSecurityContext
RxReferenceCredential
RxRecreateVNetRoot
RxFinalizeConnection
RxCompleteRequestEx
RxDowngradeFcbToSharedInMRx
RxRemoveDollarDataSuffix
RxLastComponentUnicodeString
RxLowIoCompletion
RxLowIoGetBufferAddress
RxFindRegisteredMiniRedir
RxQueryDeepestLViewInPath
RxGetShareRights
RxFindEa
RxIsUserCredentialPresent
RxIsCredentialOrphaned
RxDereferenceCredential
RxPrefixTableLookupName
RxSidFromRxContext
RxSetFcbDispatchTable
RxSetBasicInfoInFcb
RxCloseAndFreeMRxStateOnFcb
RxFlushFcbInSystemCache
RxUpdateOplockStateOnCreate
RxDeregisterSrvOpenWithBufferingManager
RxNotifyBufferingManagerOfPendingOpen
RxNotifyBufferingManagerOfCompletedOpen
RxIsFcbPagingInMRxAcquiredShared
RxIsFcbPagingInMRxAcquiredExclusive
RxQueryNetRootCachingMode
RxUpdateNetRootCachingMode
RxSubjectContextFromRxContext
RxFinishFcbInitialization
RxCreateNetFobx
RxLockEnumerator
RxInitializeLowIoContext
RxOrphanFobx
RxIterateOnFcbOpens
RxRegisterMinirdr
RxGetRDBSSProcess
RxRegisterLogicalMinirdr
RxUnregisterMinirdr
RxFsdDispatch
RxPostToWorkerThread
RxDoesRedirSupportLogicalViews
RxPrefixTableInitEnumContext
RxLViewEnumerate
RxFindFirstPhysicalRdrVNetRootFromNetRoot
RxIterateOnVNetRoots
RxCreateRxContext
RxDereferenceAndDeleteRxContext_Real
RxClearLogicalRdrVNetRootCredential
RxInitNetInfoFromFcb
RxAcquirePowerContextLock
RxUpdateFcbPowerState
RxReleasePowerContextLock
RxAcquireExclusiveFcbPagingInMRx
RxPurgeFcbInSystemCache
RxReleaseFcbPagingInMRx
RxClearMinirdrCancelRoutine
RxSetMinirdrCancelRoutine
RxReference
RxpTrackReference
RxAcquireLogicalViewRundownInMRx
RxDereference
RxpTrackDereference
RxFcbTableNameFromFcb
RxCloseAndFreeMRxStateOnLogicalView
RxIterateOnLViewFcbsInMRx
RxDoesOplockStateChangeOnSrvOpenClose
RxAcquireExclusiveFcbResourceInMRx
RxAcquireSharedFcbResourceInMRx
RxReleaseFcbResourceInMRx
RxReleaseLViewRundownInMRx

mup.sys

MupSurrogateGetUncProviderDeviceObject
MupSurrogateSetUndecoratedFileName
MupSurrogateDeregisterProvider
MupSurrogateGetFileName
MupSurrogateRestartIo
MupSurrogateRegisterProvider

Sections

.text
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

page
Size: 1024B - Virtual size: 628B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 217KB - Virtual size: 216KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7dda45a51b958a5dc7799e1d3bc2ca16

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

rdbss.sys

mup.sys

Sections

.text Size: 118KB - Virtual size: 118KB

page Size: 1024B - Virtual size: 628B

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 4KB - Virtual size: 5KB

PAGE Size: 217KB - Virtual size: 216KB

INIT Size: 12KB - Virtual size: 11KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 15KB - Virtual size: 14KB

.text
Size: 118KB - Virtual size: 118KB

page
Size: 1024B - Virtual size: 628B

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 4KB - Virtual size: 5KB

PAGE
Size: 217KB - Virtual size: 216KB

INIT
Size: 12KB - Virtual size: 11KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 15KB - Virtual size: 14KB