216d2684b2a8d3db73d9d4c099aae9af74d811b95ba79acd1928f5b6683d4b23

Sharing

Copy URL

Twitter E-mail

General

Target

216d2684b2a8d3db73d9d4c099aae9af74d811b95ba79acd1928f5b6683d4b23
Size

259KB
MD5

3465d7f62f3119aa0234f22e84e926f0
SHA1

b8757fa7bef587d63e9a26b480d5f1025fefe8af
SHA256

216d2684b2a8d3db73d9d4c099aae9af74d811b95ba79acd1928f5b6683d4b23
SHA512

e1106c0fe0832743410069f3f48166d52d5e420605e839789b9c90cddf5da4694970d9bd9ef963d753205b08bee6907ab33add0c62dc993bc243e17e9b19f3a2
SSDEEP

3072:CfhO/jtrsrYaoghsxgTjhHVbWssuo1BlxDGLqy7+VsXzXqSdy:qhO/j5+DoWEg/h16s0xDrSd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
216d2684b2a8d3db73d9d4c099aae9af74d811b95ba79acd1928f5b6683d4b23

Files

216d2684b2a8d3db73d9d4c099aae9af74d811b95ba79acd1928f5b6683d4b23
.sys windows:6 windows x86

96f2b929b7e08068bfea6b03fc4cfc86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ExAcquireRundownProtectionEx
ExAcquireRundownProtection
ExReleaseRundownProtection
_allshl
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExWaitForRundownProtectionRelease
CmUnRegisterCallback
PsSetCreateProcessNotifyRoutine
PsSetLoadImageNotifyRoutine
PsSetCreateThreadNotifyRoutine
ZwClose
PsCreateSystemThread
MmGetSystemRoutineAddress
KeInitializeEvent
ExInitializeNPagedLookasideList
KeDelayExecutionThread
KeSetEvent
ExReInitializeRundownProtection
CmRegisterCallback
_vsnwprintf
PsTerminateSystemThread
KeWaitForSingleObject
RtlMultiByteToUnicodeN
ExAllocatePoolWithTag
RtlEqualUnicodeString
RtlCopyUnicodeString
IoGetTopLevelIrp
MmIsAddressValid
PsGetCurrentThreadId
PsGetCurrentProcessId
ObQueryNameString
ExInitializeRundownProtection
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
_wcsnicmp
wcslen
ZwTerminateProcess
ZwOpenProcess
RtlInitializeBitMap
ObfReferenceObject
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
ExInitializeResourceLite
ExReleaseResourceLite
RtlInsertElementGenericTableAvl
ExAcquireResourceExclusiveLite
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
ExAcquireResourceSharedLite
memcpy
KeRegisterBugCheckReasonCallback
ExUuidCreate
ExGetPreviousMode
RtlImageNtHeader
RtlCompareUnicodeString
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
ZwQuerySystemInformation
ZwQueryInformationFile
ZwOpenFile
RtlTimeToTimeFields
ExSystemTimeToLocalTime
KeQuerySystemTime
_allmul
IofCompleteRequest
ZwCreateFile
ObReferenceObjectByHandle
IoFileObjectType
KeGetCurrentThread
ZwWriteFile
ZwDeleteFile
IoDeleteDevice
RtlPrefixUnicodeString
MmUserProbeAddress
ExReleaseRundownProtectionEx
RtlCaptureStackBackTrace
KeTickCount
KeBugCheckEx
InterlockedPushEntrySList
InterlockedPopEntrySList
PsLookupProcessByProcessId
ObfDereferenceObject
InitSafeBootMode
RtlInitUnicodeString
IoRegisterShutdownNotification
IoCreateSymbolicLink
RtlAppendUnicodeToString
ExFreePoolWithTag
IoRegisterDriverReinitialization
IoRegisterBootDriverReinitialization
RtlUnwind
IoGetDeviceObjectPointer
ZwDeleteKey
ZwOpenKey
ZwQueryValueKey
ZwSetValueKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
FsRtlIsNameInExpression
RtlGetVersion
ZwQueryInformationProcess
ObOpenObjectByPointer
PsProcessType
PsGetProcessCreateTimeQuadPart
KeUnstackDetachProcess
ProbeForRead
KeStackAttachProcess
PsGetProcessPeb
PsThreadType
PsLookupThreadByThreadId
ZwQueryInformationThread
PsIsThreadTerminating
MmUnmapLockedPages
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
KeInsertQueueApc
KeInitializeApc
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
IoGetDeviceAttachmentBaseRef
IoGetRelatedDeviceObject
ZwReadFile
IoCreateFileSpecifyDeviceObjectHint
ZwSetInformationFile
ZwQueryDirectoryFile
memmove
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
IoFreeIrp
IoCreateFile
ZwSetInformationObject
ZwQueryObject
ZwDuplicateObject
RtlCompareMemory
ZwCreateKey
RtlQueryRegistryValues
KeAreApcsDisabled
ExRaiseStatus
IoVolumeDeviceToDosName
_aullshr
_strnicmp
_allshr
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlDecompressBuffer
FsRtlDissectName
MmHighestUserAddress
IoCreateDevice
RtlAppendUnicodeStringToString
memset

hal

KeGetCurrentIrql
KfLowerIrql
KfAcquireSpinLock
KfReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex

fltmgr.sys

FltAcquirePushLockShared
FltInitializePushLock
FltGetFileNameInformationUnsafe
FltReleaseFileNameInformation
FltAcquirePushLockExclusive
FltReleasePushLock
FltDeletePushLock

Sections

.text
Size: 142KB - Virtual size: 142KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

96f2b929b7e08068bfea6b03fc4cfc86

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 142KB - Virtual size: 142KB

.rdata Size: 68KB - Virtual size: 67KB

.data Size: 34KB - Virtual size: 33KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 920B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 142KB - Virtual size: 142KB

.rdata
Size: 68KB - Virtual size: 67KB

.data
Size: 34KB - Virtual size: 33KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 920B

.reloc
Size: 8KB - Virtual size: 7KB