Static task
static1
General
-
Target
eec18c994ff07ef8d45c00721392984b0a834f65eb66a5715d9d0fd3b3dd5dd9
-
Size
236KB
-
MD5
a4f43ed0ad4930565c08c13b33e0653d
-
SHA1
0776648e63e3f66a35d3066144ddd4cc4cd9b248
-
SHA256
eec18c994ff07ef8d45c00721392984b0a834f65eb66a5715d9d0fd3b3dd5dd9
-
SHA512
383cf61623a97209163865d145b3584d47e4e1e3c95b195b8415366b6c9d5f60a85671fe5644dc41e3887bf6d57a0756e110169af6cf6c7cf7e18acd4239f25f
-
SSDEEP
6144:b4I3/vXAXjHL7z17PggffAUfpHgSV8GW7e3gOVUWvF5fUZDU3t7H1z2RItffvcOw:0M/vXQHL7lVffAU
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource eec18c994ff07ef8d45c00721392984b0a834f65eb66a5715d9d0fd3b3dd5dd9
Files
-
eec18c994ff07ef8d45c00721392984b0a834f65eb66a5715d9d0fd3b3dd5dd9.sys windows:6 windows x86
8045be5d1ee557e92b60b681b6e142d1
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
RtlInitUnicodeString
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
PsRemoveLoadImageNotifyRoutine
InterlockedPopEntrySList
InterlockedPushEntrySList
ExInitializePagedLookasideList
ExDeletePagedLookasideList
KeSetEvent
KeWaitForSingleObject
IoDeleteDevice
IoDeleteSymbolicLink
IoCreateSymbolicLink
IoCreateDevice
InitSafeBootMode
KeGetCurrentThread
IoCreateFile
RtlFreeAnsiString
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
IoFreeMdl
MmUnlockPages
MmUnmapLockedPages
memmove
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
_stricmp
ZwSetInformationFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
RtlRandomEx
KeTickCount
ZwCreateFile
ZwOpenFile
PsTerminateSystemThread
RtlAppendUnicodeStringToString
RtlUnicodeStringToAnsiString
KeInsertQueueApc
KeInitializeApc
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlImageDirectoryEntryToData
RtlImageNtHeader
PsThreadType
PsCreateSystemThread
RtlGetVersion
ZwDeleteValueKey
ZwSetValueKey
ZwQueryValueKey
RtlCompareUnicodeString
IofCompleteRequest
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExReleaseResourceLite
ObQueryNameString
MmGetSystemRoutineAddress
ObOpenObjectByPointer
ObfReferenceObject
MmIsAddressValid
RtlPrefixUnicodeString
MmUserProbeAddress
ZwDeviceIoControlFile
_vsnwprintf
CmUnRegisterCallback
CmRegisterCallbackEx
KeDelayExecutionThread
KeQueryTimeIncrement
ZwClose
_allmul
ZwQueryInformationProcess
ZwOpenProcess
PsGetProcessInheritedFromUniqueProcessId
ProbeForWrite
ExRaiseDatatypeMisalignment
wcsncpy
RtlSetDaclSecurityDescriptor
ExRegisterCallback
ExCreateCallback
ExUnregisterCallback
IoRegisterShutdownNotification
KeQuerySystemTime
PsGetProcessCreateTimeQuadPart
RtlCopyUnicodeString
KeResetEvent
KeBugCheckEx
RtlUnwind
ObOpenObjectByName
ZwOpenKey
ZwCreateKey
RtlCompareMemory
ProbeForRead
PsGetCurrentThreadId
ExGetPreviousMode
ObReferenceObjectByHandle
ObfDereferenceObject
RtlEqualUnicodeString
RtlAppendUnicodeToString
KeInitializeEvent
memcpy
ZwQuerySystemInformation
ExDeleteResourceLite
RtlHashUnicodeString
ExInitializeResourceLite
ExFreePoolWithTag
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeInitializeDpc
KeNumberProcessors
FsRtlIsNameInExpression
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwEnumerateKey
ZwEnumerateValueKey
IoGetTopLevelIrp
PsProcessType
PsLookupThreadByThreadId
IoGetDeviceObjectPointer
RtlQueryRegistryValues
KeAreApcsDisabled
ExRaiseStatus
IoVolumeDeviceToDosName
_wcsnicmp
RtlMultiByteToUnicodeN
DbgPrint
PsIsThreadTerminating
_allshl
_aullshr
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlDecompressBuffer
RtlDeleteElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlInitializeGenericTableAvl
FsRtlDissectName
_alldiv
PsGetCurrentProcessId
memset
IoGetCurrentProcess
ExAllocatePoolWithTag
hal
KfRaiseIrql
KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex
KfLowerIrql
fltmgr.sys
FltDeletePushLock
FltReleaseFileNameInformation
FltCloseClientPort
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCreateCommunicationPort
FltStartFiltering
FltFreeSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltInitializePushLock
FltAcquirePushLockExclusive
FltAcquirePushLockShared
FltReleasePushLock
FltSendMessage
FltGetFileNameInformationUnsafe
Sections
.text Size: 203KB - Virtual size: 202KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 10KB - Virtual size: 13KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 800B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 11KB - Virtual size: 10KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ