General
-
Target
2099c9d1660f7d1edfde6425a757eb90f56ca4013a094be22bed9990c1174f31
-
Size
3.9MB
-
MD5
7d16ffb266b3db5f36fcf71c8ac6f2bc
-
SHA1
27bee7850b53a5603c589af9c0649375a2aae9e3
-
SHA256
2099c9d1660f7d1edfde6425a757eb90f56ca4013a094be22bed9990c1174f31
-
SHA512
20ed83b46124685671bd18bc248f880fe56d6eff615296ec82bbc125ef062081277dcf70c1d5fe668f123c6b3644a4f644062a745dace4ff1bb71c591612cac2
-
SSDEEP
98304:XBtzBcWctxcYqAO24tB8YjG9xB9FmE9KWIeQ8R6:HCrSNAO2a8QCjUuw
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2099c9d1660f7d1edfde6425a757eb90f56ca4013a094be22bed9990c1174f31
Files
-
2099c9d1660f7d1edfde6425a757eb90f56ca4013a094be22bed9990c1174f31.sys windows:10 windows x64
a7ed3197763508f2f63fddded4c18b7f
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntoskrnl.exe
ZwOpenFile
ZwClose
IoFileObjectType
IofCompleteRequest
_strnicmp
wcsncpy
_wcsicmp
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
ExQueueWorkItem
CmRegisterCallback
PsCreateSystemThread
IoAllocateIrp
IofCallDriver
IoCreateDevice
IoCreateFile
IoCreateSymbolicLink
IoFreeIrp
IoGetRelatedDeviceObject
IoRegisterShutdownNotification
ObReferenceObjectByHandleWithTag
ObCloseHandle
ZwOpenKey
ZwDeleteKey
MmIsAddressValid
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
IoCreateFileEx
PsLookupProcessByProcessId
MmFlushImageSection
ObQueryNameString
ZwDeleteFile
PsGetProcessImageFileName
ZwCreateFile
ZwQueryInformationFile
ObfDereferenceObject
ZwWriteFile
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
DbgPrint
RtlCompareUnicodeString
RtlAppendUnicodeToString
PsWrapApcWow64Thread
ZwQueryValueKey
ZwOpenProcess
RtlDowncaseUnicodeString
KeStackAttachProcess
KeUnstackDetachProcess
PsIsThreadTerminating
PsLookupThreadByThreadId
ZwAllocateVirtualMemory
ZwQuerySystemInformation
ZwQueryInformationProcess
PsGetProcessWow64Process
PsGetProcessPeb
KeInitializeApc
KeInsertQueueApc
PsGetCurrentProcessWow64Process
__C_specific_handler
ZwSetValueKey
KeBugCheckEx
ObReferenceObjectByHandle
ExFreePoolWithTag
ExAllocatePool
KeDelayExecutionThread
RtlCopyUnicodeString
ZwReadFile
RtlInitUnicodeString
hal
KeStallExecutionProcessor
wdfldr.sys
WdfVersionUnbind
WdfVersionBind
WdfVersionUnbindClass
WdfVersionBindClass
Sections
.text Size: 20KB - Virtual size: 20KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp0 Size: 1.3MB - Virtual size: 1.3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp2 Size: 2.6MB - Virtual size: 2.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.rsrc Size: 892B - Virtual size: 892B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.l1 Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE