Static task
static1
General
-
Target
65d00bdbb2d7d6e11ce732bf1565c4f804f29bb4334bbb1ba721c157142b7c2f
-
Size
362KB
-
MD5
56b3d4546479bec0c8200f8f2c33264f
-
SHA1
7775eb194e8b6e9df4b756be614ef2ec8fa388cb
-
SHA256
65d00bdbb2d7d6e11ce732bf1565c4f804f29bb4334bbb1ba721c157142b7c2f
-
SHA512
0fa7a0a571f83317267759ba2f34199ee99bec86683be085d44bca3f15e49cd97adf26d3c9f17fd1e6d2bce9f3a428ce7d1c197afae63a8d2e03336a15b0a3de
-
SSDEEP
6144:FkieRcabYtupKy8pfpOCjN0ys8dXEG9QnI50F6K1w+Dgiv2gAknu5zfB8VOR6gAK:eiezMtupK1rOWNS80IXNNem
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 65d00bdbb2d7d6e11ce732bf1565c4f804f29bb4334bbb1ba721c157142b7c2f
Files
-
65d00bdbb2d7d6e11ce732bf1565c4f804f29bb4334bbb1ba721c157142b7c2f.sys windows:6 windows x86
7b37658e2b0bb3c26e3ec82b1ec8c61e
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
ObQueryNameString
RtlImageNtHeader
RtlMultiByteToUnicodeN
IoGetDeviceObjectPointer
KeInitializeEvent
ProbeForRead
ProbeForWrite
PsSetCreateProcessNotifyRoutine
ExInitializeResourceLite
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlInitializeGenericTable
CmRegisterCallback
MmHighestUserAddress
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
PsLookupThreadByThreadId
PsGetCurrentThreadId
KeDelayExecutionThread
PsCreateSystemThread
MmSystemRangeStart
PsSetLoadImageNotifyRoutine
RtlUpcaseUnicodeString
ZwDeleteValueKey
ZwCreateKey
ZwSetValueKey
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
wcschr
ZwQueryValueKey
RtlDecompressBuffer
IoGetDeviceAttachmentBaseRef
ZwReadFile
RtlAppendUnicodeStringToString
InterlockedPopEntrySList
InterlockedPushEntrySList
ExDeletePagedLookasideList
ExInitializePagedLookasideList
RtlAppendUnicodeToString
CmUnRegisterCallback
ZwWriteFile
ZwSetInformationFile
ZwDeleteFile
ZwQueryInformationFile
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
IoAllocateMdl
MmUnmapLockedPages
ZwOpenFile
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateUnicodeString
_wcsicmp
wcsncpy
wcsncmp
RtlGetVersion
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
ZwEnumerateKey
ZwQueryKey
_allmul
KeTickCount
wcsrchr
ExInitializeRundownProtection
PsIsSystemThread
IoGetTopLevelIrp
RtlPrefixUnicodeString
MmIsAddressValid
ZwOpenSymbolicLinkObject
KeSetEvent
ZwSetInformationThread
ExAcquireRundownProtection
ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
KeResetEvent
KeWaitForSingleObject
KeInitializeSemaphore
KeWaitForMultipleObjects
KeReleaseSemaphore
_alldiv
memmove
ZwQueryInformationProcess
ObOpenObjectByPointer
ExSystemTimeToLocalTime
PsGetVersion
KeQuerySystemTime
RtlInitAnsiString
_wcsnicmp
ObOpenObjectByName
MmUserProbeAddress
IoFileObjectType
ZwTerminateProcess
ZwOpenProcess
FsRtlDissectName
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlLookupElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlGetElementGenericTableAvl
ExRaiseDatatypeMisalignment
KeQueryTimeIncrement
ExSemaphoreObjectType
ExfInterlockedInsertTailList
ExfInterlockedRemoveHeadList
KeBugCheckEx
ObfReferenceObject
ZwOpenKey
RtlCompareMemory
KeGetCurrentThread
RtlCopyUnicodeString
RtlCompareUnicodeString
PsTerminateSystemThread
IoGetCurrentProcess
PsInitialSystemProcess
PsProcessType
PsGetProcessId
PsLookupProcessByProcessId
ExGetPreviousMode
PsThreadType
ObReferenceObjectByHandle
ObfDereferenceObject
memcpy
IoThreadToProcess
PsGetProcessInheritedFromUniqueProcessId
RtlHashUnicodeString
PsGetThreadProcessId
RtlEqualUnicodeString
InitSafeBootMode
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoRegisterShutdownNotification
MmGetSystemRoutineAddress
RtlInitUnicodeString
PsGetCurrentProcessId
IofCompleteRequest
ZwCreateFile
ZwDeviceIoControlFile
ZwClose
_vsnwprintf
memset
RtlUnwind
ZwDeleteKey
PsIsThreadTerminating
KeInsertQueueApc
KeInitializeApc
FsRtlIsNameInExpression
RtlFreeAnsiString
FsRtlIsDbcsInExpression
RtlUnicodeStringToAnsiString
ZwQuerySystemInformation
PsGetProcessCreateTimeQuadPart
KeUnstackDetachProcess
KeStackAttachProcess
PsGetProcessPeb
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwEnumerateValueKey
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
IoFreeIrp
IoCreateFile
ZwSetInformationObject
ZwQueryObject
ZwDuplicateObject
RtlQueryRegistryValues
KeAreApcsDisabled
ExRaiseStatus
IoVolumeDeviceToDosName
IoGetRelatedDeviceObject
IoCreateFileSpecifyDeviceObjectHint
ZwQueryDirectoryFile
_allshl
_aullshr
ExAllocatePoolWithTag
ZwQuerySymbolicLinkObject
ExFreePoolWithTag
hal
KfAcquireSpinLock
KfReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
KeGetCurrentIrql
fltmgr.sys
FltDeletePushLock
FltRegisterFilter
FltGetFileNameInformationUnsafe
FltCreateFile
FltClose
FltSendMessage
FltQueryInformationFile
FltGetDestinationFileNameInformation
FltParseFileNameInformation
FltSetStreamContext
FltAllocateContext
FltGetVolumeContext
FltGetStreamContext
FltGetRequestorProcessId
FltGetRequestorProcess
FltReadFile
FltGetVolumeProperties
FltSetVolumeContext
FltReleaseContext
FltGetVolumeName
FltAcquirePushLockExclusive
FltAcquirePushLockShared
FltReleasePushLock
FltInitializePushLock
FltGetFileNameInformation
FltReleaseFileNameInformation
FltBuildDefaultSecurityDescriptor
FltCreateCommunicationPort
FltFreeSecurityDescriptor
FltCloseClientPort
FltStartFiltering
Sections
.text Size: 283KB - Virtual size: 283KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 50KB - Virtual size: 50KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 896B - Virtual size: 800B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 16KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ