21c725178ed28236a39d9a1bdfce7ac7b318d8316f40001f6193cc6434e9522d

Sharing

Copy URL Twitter E-mail

General

Target

21c725178ed28236a39d9a1bdfce7ac7b318d8316f40001f6193cc6434e9522d
Size

5.0MB
MD5

27afcaf4ca38d54f196bed1ba2c762cc
SHA1

d0849dbf33645bb432191d237408c945af1fe70d
SHA256

21c725178ed28236a39d9a1bdfce7ac7b318d8316f40001f6193cc6434e9522d
SHA512

a0d83515a8c33656675911ea4b85053aa6c053a2ba08bf1f21f667b4d85329bc54e398dbd75e5be5507da929f7941f3953b1e9717586d414cff36ab12015e56c
SSDEEP

49152:sq166HZ04Glp1z6gMXCLZPc0y4AzlaCok4+afwVm+vUvqSNU88u4ZIS6mbmSmcd5:zm6CLZS4Azlj5N/eqh8eZL6vcdn5

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
21c725178ed28236a39d9a1bdfce7ac7b318d8316f40001f6193cc6434e9522d

Files

21c725178ed28236a39d9a1bdfce7ac7b318d8316f40001f6193cc6434e9522d
.sys windows:10 windows x64

15c16708bbd5a2aa03e37e41633f1c9a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltGetFileNameInformation
FltReleaseFileNameInformation
FltGetVolumeName
FltGetDestinationFileNameInformation
FltReadFile
FltCreateCommunicationPort
FltCloseCommunicationPort
FltCloseClientPort
FltSendMessage
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor
FltAllocateGenericWorkItem
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltGetRequestorProcessId

ntoskrnl.exe

ExAllocatePool
ExFreePool
ExFreePoolWithTag
ZwUnloadDriver
KeBugCheckEx
ExAllocatePoolWithTag
KdDebuggerNotPresent
KeBugCheck
RtlInitUnicodeString
DbgPrintEx
RtlTimeToTimeFields
KeDelayExecutionThread
KeEnterCriticalRegion
KeLeaveCriticalRegion
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
ExInitializeResourceLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
ExSystemTimeToLocalTime
MmGetSystemRoutineAddress
PsCreateSystemThread
PsTerminateSystemThread
IoGetCurrentProcess
ZwCreateFile
ZwWriteFile
ZwClose
PsGetCurrentThreadId
PsGetProcessId
IoRegisterBootDriverReinitialization
ZwWaitForSingleObject
PsGetProcessImageFileName
RtlFindClearBitsAndSet
RtlClearBits
ExUnregisterCallback
ObfDereferenceObject
RtlCopyUnicodeString
RtlCompareMemory
KeInsertQueueDpc
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
KeAreApcsDisabled
ExAcquireRundownProtection
ExReleaseRundownProtection
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmAllocateContiguousMemory
MmFreeContiguousMemory
IoFreeMdl
MmGetPhysicalMemoryRanges
MmGetPhysicalAddress
MmGetVirtualForPhysical
__C_specific_handler
KeNumberProcessors
MmSystemRangeStart
RtlInitializeBitMap
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExQueueWorkItem
MmAllocateMappingAddress
MmFreeMappingAddress
PsInitialSystemProcess
MmIsAddressValid
RtlCaptureContext
RtlLookupFunctionEntry
RtlImageNtHeader
KeCapturePersistentThreadState
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlGetVersion
RtlPrefixUnicodeString
ObQueryNameString
ProbeForRead
MmLockPagableDataSection
MmUnlockPagableImageSection
MmUserProbeAddress
ExAcquireFastMutex
ExReleaseFastMutex
ExAcquireRundownProtectionEx
ExReleaseRundownProtectionEx
RtlCompareUnicodeString
ObfReferenceObject
RtlInitAnsiString
ProbeForWrite
ExGetPreviousMode
ZwOpenFile
ZwQueryInformationFile
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlCopyString
PsGetProcessCreateTimeQuadPart
PsGetProcessExitStatus
PsGetThreadProcessId
ZwOpenProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsIsThreadTerminating
PsLookupProcessByProcessId
PsLookupThreadByThreadId
PsIsSystemThread
IoQueryFileInformation
ObOpenObjectByPointer
FsRtlGetFileSize
FsRtlCreateSectionForDataScan
PsGetProcessSectionBaseAddress
PsGetProcessPeb
PsGetProcessInheritedFromUniqueProcessId
PsGetProcessDebugPort
PsGetProcessWow64Process
ZwQueryInformationProcess
ZwQuerySystemInformation
ZwQueryInformationThread
MmHighestUserAddress
KeWaitForMultipleObjects
IoGetStackLimits
ObReferenceObjectByHandle
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
PsGetCurrentProcessId
IoVolumeDeviceToDosName
IoQueryFileDosDeviceName
ZwWaitForMultipleObjects
IoFileObjectType
ZwAllocateVirtualMemory
KeClearEvent
MmAllocatePagesForMdl
MmFreePagesFromMdl
PsThreadType
ExInitializeRundownProtection
ExRundownCompleted
ExWaitForRundownProtectionRelease
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetThreadId
ZwOpenThread
PsProcessType
RtlSetBit
RtlClearAllBits
RtlFindSetBits
RtlFindNextForwardRunClear
ExAcquireSpinLockShared
ExReleaseSpinLockShared
IoGetInitialStack
KeInitializeApc
KeInsertQueueApc
ExAcquireResourceSharedLite
RtlAnsiStringToUnicodeString
ExAllocatePoolWithQuotaTag
ExRaiseStatus
MmProbeAndLockPages
MmUnlockPages
MmSizeOfMdl
RtlEnumerateGenericTableAvl
RtlWalkFrameChain
MmAllocateNonCachedMemory
MmFreeNonCachedMemory
ZwOpenDirectoryObject
ExfAcquirePushLockShared
ExfReleasePushLock
ObReferenceObjectByName
ExEnumHandleTable
RtlVirtualUnwind
IoDriverObjectType
IoDeviceObjectType
_purecall
RtlUpcaseUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
strncpy
qsort
DbgPrint

hal

KeQueryPerformanceCounter

Sections

.text
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 200KB - Virtual size: 200KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xb0
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xb1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.xb2
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 848B - Virtual size: 848B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.l1
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

15c16708bbd5a2aa03e37e41633f1c9a

Headers

DLL Characteristics

File Characteristics

Imports

fltmgr.sys

ntoskrnl.exe

hal

Sections

.text Size: 272KB - Virtual size: 272KB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 200KB - Virtual size: 200KB

.pdata Size: 16KB - Virtual size: 16KB

.gfids Size: 4KB - Virtual size: 4KB

PAGE Size: 12KB - Virtual size: 12KB

INIT Size: 48KB - Virtual size: 48KB

.xb0 Size: 1.7MB - Virtual size: 1.7MB

.xb1 Size: 4KB - Virtual size: 4KB

.xb2 Size: 1.5MB - Virtual size: 1.5MB

.reloc Size: 8KB - Virtual size: 8KB

.rsrc Size: 848B - Virtual size: 848B

.l1 Size: 11KB - Virtual size: 11KB

.text
Size: 272KB - Virtual size: 272KB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 200KB - Virtual size: 200KB

.pdata
Size: 16KB - Virtual size: 16KB

.gfids
Size: 4KB - Virtual size: 4KB

PAGE
Size: 12KB - Virtual size: 12KB

INIT
Size: 48KB - Virtual size: 48KB

.xb0
Size: 1.7MB - Virtual size: 1.7MB

.xb1
Size: 4KB - Virtual size: 4KB

.xb2
Size: 1.5MB - Virtual size: 1.5MB

.reloc
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 848B - Virtual size: 848B

.l1
Size: 11KB - Virtual size: 11KB