29d8c6156129f2e4441736129eaf9d925928a2bc8e1490fc6b11d40e683fb6da

Sharing

Copy URL

Twitter E-mail

General

Target

29d8c6156129f2e4441736129eaf9d925928a2bc8e1490fc6b11d40e683fb6da
Size

73KB
MD5

aee53d1cb246b066983da876b928d7bd
SHA1

6e44b657cf463816b8d18a27d1ebc957edfa9a89
SHA256

29d8c6156129f2e4441736129eaf9d925928a2bc8e1490fc6b11d40e683fb6da
SHA512

2af84fc0f45acc045115dbbc7d0db480d05c09d155d30193af87e0d055ccb19459150d2946633f8216641043e6ff72ce6970730c5b84ad9c6182e15b3500bd6b
SSDEEP

1536:C68ummYtNwtX7yFZCA1ELoOuz9MeY1A/ZeInkm1sHUG:C68uI2X4ZCMELoOe9TY1uMIkm105

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
29d8c6156129f2e4441736129eaf9d925928a2bc8e1490fc6b11d40e683fb6da

Files

29d8c6156129f2e4441736129eaf9d925928a2bc8e1490fc6b11d40e683fb6da
.exe windows x64

bd306824d059bb3d500d1d4767cfb2f1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeBugCheckEx
PsGetCurrentProcessId
ProbeForWrite
ProbeForRead
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoCreateDevice
IoCreateSymbolicLink
RtlCompareUnicodeString
PsGetVersion
IofCompleteRequest
InitSafeBootMode
PsProcessType
ExRaiseStatus
ExReleaseFastMutex
ExAcquireFastMutex
_wcsnicmp
ZwReadFile
MmGetSystemRoutineAddress
KeInitializeEvent
RtlQueryRegistryValues
RtlEqualUnicodeString
IoFreeMdl
IoVolumeDeviceToDosName
KeDelayExecutionThread
MmMapLockedPagesSpecifyCache
IoGetDeviceObjectPointer
ExAllocatePool
KeQueryTimeIncrement
ZwClose
RtlAppendUnicodeStringToString
MmProbeAndLockPages
MmUnlockPages
MmIsAddressValid
ObfDereferenceObject
ZwOpenFile
ZwQueryInformationFile
ObOpenObjectByPointer
DbgPrint
IoAllocateMdl
KeInitializeMutex
IoFreeWorkItem
KeReleaseMutex
IoAllocateWorkItem
KeWaitForSingleObject
ObfReferenceObject
IoDeleteDevice
PsLookupProcessByProcessId
KeSetEvent
PsSetCreateProcessNotifyRoutine
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
RtlGetVersion
MmMapLockedPages
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoInitializeRemoveLockEx
KeClearEvent
KeReadStateEvent
ZwQuerySystemInformation
RtlFreeUnicodeString
ZwQueryValueKey
RtlHashUnicodeString
RtlCompareMemory
KeWaitForMultipleObjects
ZwOpenKey
ExAcquireResourceExclusiveLite
RtlVolumeDeviceToDosName
KeLeaveCriticalRegion
KeEnterCriticalRegion
ZwSetInformationFile
ObQueryNameString
ZwCreateFile
ExAcquireResourceSharedLite
ExReleaseResourceLite
RtlPrefixUnicodeString
RtlRandom
ZwQueryInformationProcess
ZwWriteFile
_vsnprintf
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
_vsnwprintf
ExDeleteResourceLite
ExInitializeResourceLite
RtlAnsiStringToUnicodeString
ZwEnumerateKey
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
IoCancelIrp
ExQueryDepthSList
KeInitializeSemaphore
IoFreeIrp
KeReleaseSemaphore
KeReadStateSemaphore
IoAllocateIrp
ExDeleteNPagedLookasideList
RtlInitUnicodeString
ExFreePoolWithTag
IoDeleteSymbolicLink
IoQueueWorkItem
ExAllocatePoolWithTag
__C_specific_handler

fwpkclnt.sys

FwpsCalloutRegister0
FwpsCalloutUnregisterById0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmFilterAdd0
FwpmEngineOpen0
FwpmTransactionAbort0
FwpmBfeStateGet0
FwpmBfeStateSubscribeChanges0
FwpmCalloutAdd0
FwpmTransactionCommit0
FwpmCalloutDeleteById0

fltmgr.sys

FltRegisterFilter
FltCreateCommunicationPort
FltFreeSecurityDescriptor
FltUnregisterFilter
FltCloseCommunicationPort
FltStartFiltering
FltCloseClientPort
FltBuildDefaultSecurityDescriptor

netio.sys

WskRegister
WskCaptureProviderNPI
WskDeregister
WskReleaseProviderNPI

Sections

.text
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 282B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bd306824d059bb3d500d1d4767cfb2f1

Headers

File Characteristics

Imports

ntoskrnl.exe

fwpkclnt.sys

fltmgr.sys

netio.sys

Sections

.text Size: 57KB - Virtual size: 57KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 864B

.reloc Size: 512B - Virtual size: 282B

.text
Size: 57KB - Virtual size: 57KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 864B

.reloc
Size: 512B - Virtual size: 282B