1a01f7fa75da59d8285b375654359fa2c323b9853e126da417d0bc730cc2a69d

Sharing

Copy URL

Twitter E-mail

General

Target

1a01f7fa75da59d8285b375654359fa2c323b9853e126da417d0bc730cc2a69d
Size

551KB
MD5

737b5c2c4a8fead5fb358153776259d2
SHA1

a84b6f16daa765c166e1850a6845397cdf5c7728
SHA256

1a01f7fa75da59d8285b375654359fa2c323b9853e126da417d0bc730cc2a69d
SHA512

d4b4775c16c753c68d77bd9429130800e8cc6985bea380eb94ae9c951b958a009cf992ac7bad172185619ce9fb20647d1127d11a47f40b92b93c4a53dc9c9cea
SSDEEP

12288:sSTqWc9u2gPFH3yQpntwuQc/4Au5q4ihK8S8hfGM:s2YuRPFBwzy7us4j2fGM

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Files

1a01f7fa75da59d8285b375654359fa2c323b9853e126da417d0bc730cc2a69d
.exe windows x64

75dbb12399a127b7f6b4889778008dfe

Code Sign

51:68:1b:3c:9e:66:5d:d0:b2:9e:25:71:46:d5:39:dc
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

06-07-2015 00:00

Not After

05-07-2016 23:59

Subject

CN=佛山市高明科得裕绝缘材料有限公司,O=佛山市高明科得裕绝缘材料有限公司,L=佛山市,ST=广东省,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:25

Not After

22-02-2021 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

22:77:22:1b:eb:0b:dc:b3:2a:27:6d:eb:32:3f:8b:7f:cf:68:d8:6b
Signer

Actual PE Digest

22:77:22:1b:eb:0b:dc:b3:2a:27:6d:eb:32:3f:8b:7f:cf:68:d8:6b

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeReleaseSpinLockFromDpcLevel
ExFreePoolWithTag
IoFreeMdl
IofCompleteRequest
IofCallDriver
MmBuildMdlForNonPagedPool
IoAllocateMdl
ExAllocatePoolWithTag
IoBuildDeviceIoControlRequest
ExQueueWorkItem
ObfDereferenceObject
ObReferenceObjectByHandle
MmIsAddressValid
RtlCompareUnicodeString
RtlInitUnicodeString
NtBuildNumber
MmGetSystemRoutineAddress
ZwSetSecurityObject
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlLengthSid
SeExports
ZwClose
wcsrchr
ZwSetValueKey
ZwDeleteValueKey
ZwCreateKey
ExAllocatePool
ZwQueryValueKey
ZwOpenKey
wcsncpy
_wcsnicmp
ZwReadFile
ZwQueryInformationFile
ZwCreateFile
ZwWriteFile
ObQueryNameString
IoFileObjectType
ZwOpenFile
PsGetCurrentProcessId
ZwDuplicateObject
ZwOpenProcess
ObReferenceObjectByPointer
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
PsTerminateSystemThread
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
IoGetRelatedDeviceObject
ZwDeleteKey
ZwEnumerateKey
ZwQueryKey
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
strrchr
RtlInitAnsiString
PsGetCurrentThreadPreviousMode
__C_specific_handler
ProbeForWrite
KeUnstackDetachProcess
ProbeForRead
KeStackAttachProcess
PsProcessType
RtlCopyUnicodeString
IoFreeIrp
KeSetEvent
KeWaitForSingleObject
SeCreateAccessState
IoGetFileObjectGenericMapping
KeInitializeEvent
IoAllocateIrp
KeAcquireSpinLockAtDpcLevel
IoCreateFile
KeCancelTimer
KeWaitForMultipleObjects
KeSetTimerEx
KeInitializeTimerEx
KeSetPriorityThread
IoDeleteSymbolicLink
PsSetLoadImageNotifyRoutine
IoUnregisterShutdownNotification
IoRegisterShutdownNotification
IoCreateSymbolicLink
IoCreateDevice
IoDeleteDevice
IoFreeWorkItem
PsCreateSystemThread
IoStopTimer
CmUnRegisterCallback
IoQueueWorkItem
IoAllocateWorkItem
IoRegisterBootDriverReinitialization
IoCreateDriver
ExpInterlockedPushEntrySList
ExQueryDepthSList
ZwLoadDriver
strstr
_snprintf
ExInterlockedRemoveHeadList
rand
MmUnmapLockedPages
MmMapLockedPages
_strnicmp
ZwQuerySystemInformation
strncpy
RtlUnicodeStringToInteger
ExpInterlockedPopEntrySList
ZwQueryInformationProcess
ObOpenObjectByPointer
KeDelayExecutionThread
ExInterlockedInsertHeadList
ZwQueryDirectoryFile
ExInterlockedInsertTailList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
PsGetCurrentThreadId
IoStartTimer
IoInitializeTimer
CmRegisterCallback
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByName
IoDriverObjectType
ZwQueryDirectoryObject
ZwOpenDirectoryObject
MmUnlockPages
MmProbeAndLockPages
IoCancelIrp
IoAttachDevice
IoDetachDevice
IoSetCompletionRoutineEx
KeQueryTimeIncrement
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlEqualUnicodeString
strchr
strncmp
MmSectionObjectType
srand
ZwQueryVirtualMemory
KeAcquireSpinLockRaiseToDpc
MmMapLockedPagesSpecifyCache
_strlwr
IoGetCurrentProcess
PsGetProcessImageFileName
ObCreateObject
KeReleaseSpinLock

tdi.sys

TdiMapUserRequest

Sections

.text
Size: 106KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX0
Size: 405KB - Virtual size: 404KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 408B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

75dbb12399a127b7f6b4889778008dfe

Code Sign

51:68:1b:3c:9e:66:5d:d0:b2:9e:25:71:46:d5:39:dcCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

22:77:22:1b:eb:0b:dc:b3:2a:27:6d:eb:32:3f:8b:7f:cf:68:d8:6bSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

tdi.sys

Sections

.text Size: 106KB - Virtual size: 105KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 2KB - Virtual size: 4KB

.pdata Size: 7KB - Virtual size: 6KB

INIT Size: 5KB - Virtual size: 5KB

UPX0 Size: 405KB - Virtual size: 404KB

.reloc Size: 512B - Virtual size: 184B

.rsrc Size: 512B - Virtual size: 408B

51:68:1b:3c:9e:66:5d:d0:b2:9e:25:71:46:d5:39:dc
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

22:77:22:1b:eb:0b:dc:b3:2a:27:6d:eb:32:3f:8b:7f:cf:68:d8:6b
Signer

.text
Size: 106KB - Virtual size: 105KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 2KB - Virtual size: 4KB

.pdata
Size: 7KB - Virtual size: 6KB

INIT
Size: 5KB - Virtual size: 5KB

UPX0
Size: 405KB - Virtual size: 404KB

.reloc
Size: 512B - Virtual size: 184B

.rsrc
Size: 512B - Virtual size: 408B