56327c5e5e678aad9f270ece7214ad67b06bbb837f6ddeba73c61a3082422715

Sharing

Copy URL Twitter E-mail

General

Target

56327c5e5e678aad9f270ece7214ad67b06bbb837f6ddeba73c61a3082422715
Size

149KB
MD5

0288898fbf6ed44056fd241dbe184b1f
SHA1

d6ed02145135b2ba62b77f9c394598cdcc8a6d47
SHA256

56327c5e5e678aad9f270ece7214ad67b06bbb837f6ddeba73c61a3082422715
SHA512

f218164b043ef02bcfa25ae958c4abf11370a2e19ef01cd8c28b215e762ea14c073c1cbd609ea5f96c2c16ae680dcfe161e9afc337fe48ac65c857bae9a77713
SSDEEP

3072:wTbv4OVAIIF6boaZOER3KXCuTRVuXPcgHTUIUyvfXyHgOM6VTVMeJFyq7RskcW4j:wTXe/FdFZRfH4z

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
56327c5e5e678aad9f270ece7214ad67b06bbb837f6ddeba73c61a3082422715

Files

56327c5e5e678aad9f270ece7214ad67b06bbb837f6ddeba73c61a3082422715
.sys windows:6 windows x86

a69641a2d6b1bcc02b103cc66b7dd830

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

_strnicmp
_stricmp
strstr
_strlwr
FsRtlInitializeFileLock
ExInitializeResourceLite
RtlInsertElementGenericTable
PsGetProcessId
RtlLookupElementGenericTable
MmCanFileBeTruncated
ObReferenceObjectByHandle
IoFileObjectType
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
CcSetFileSizes
CcSetDirtyPageThreshold
CcInitializeCacheMap
IoGetCurrentProcess
KeUnstackDetachProcess
ZwCreateFile
KeStackAttachProcess
KeSetEvent
_allrem
PsCreateSystemThread
ZwQueryValueKey
ZwOpenKey
ExDeleteNPagedLookasideList
ExAcquireResourceSharedLite
RtlInitializeGenericTable
ExInitializeNPagedLookasideList
KeInitializeSemaphore
KdEnableDebugger
MmGetSystemRoutineAddress
MmMapLockedPagesSpecifyCache
CcCopyRead
CcMdlRead
FsRtlFastCheckLockForRead
CcMdlReadComplete
CcCopyWrite
CcPrepareMdlWrite
CcCanIWrite
KeQuerySystemTime
FsRtlFastCheckLockForWrite
CcMdlWriteComplete
ZwWaitForSingleObject
ZwReadFile
ZwWriteFile
wcschr
ZwQueryInformationFile
KeBugCheck
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
KeReleaseSemaphore
RtlTimeToTimeFields
ExSystemTimeToLocalTime
RtlUnicodeToMultiByteN
KeGetCurrentThread
IoFreeIrp
IofCallDriver
IoAllocateIrp
IoGetRelatedDeviceObject
KeDelayExecutionThread
FsRtlPrivateLock
FsRtlFastUnlockSingle
FsRtlFastUnlockAllByKey
IoBuildDeviceIoControlRequest
ExfInterlockedInsertTailList
ExfInterlockedRemoveHeadList
PsRevertToSelf
ZwFsControlFile
ZwSetInformationFile
IoCreateFile
ExfInterlockedAddUlong
PsImpersonateClient
PsTerminateSystemThread
PsDereferencePrimaryToken
PsReferencePrimaryToken
ZwCreateEvent
KeTickCount
KeBugCheckEx
RtlUnwind
_wcsupr
wcsncmp
RtlInitUnicodeString
_wcsnicmp
ExAllocatePool
ZwOpenSymbolicLinkObject
ZwClose
ZwQuerySymbolicLinkObject
_alldiv
ExAllocatePoolWithTag
strncpy
PsGetProcessCreateTimeQuadPart
_vsnwprintf
_vsnprintf
memset
memcpy
ObfDereferenceObject
ExFreePoolWithTag
FsRtlUninitializeFileLock
FsRtlTeardownPerStreamContexts
ExDeleteResourceLite
RtlDeleteElementGenericTable
InterlockedPushEntrySList
InterlockedPopEntrySList
CcFlushCache
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
FsRtlFastUnlockAll
ExReleaseResourceLite
CcPurgeCacheSection
MmFlushImageSection
MmForceSectionClosed
KeInitializeEvent
CcUninitializeCacheMap
KeLeaveCriticalRegion
ExAcquireSharedStarveExclusive
KeWaitForSingleObject

hal

KfReleaseSpinLock
KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex
KfAcquireSpinLock

fltmgr.sys

FltCreateFile
FltClose
FltQueryInformationFile
FltReadFile
FltSendMessage
FltIsOperationSynchronous
FltWriteFile
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltLockUserBuffer
FltCompletePendedPreOperation
FltFreeDeferredIoWorkItem
FltRegisterFilter
FltStartFiltering
FltBuildDefaultSecurityDescriptor
FltCreateCommunicationPort
FltFreeSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltGetDestinationFileNameInformation
FltSetInformationFile
FltFlushBuffers
FltGetRequestorProcessId
FltGetFileNameInformation
FltParseFileNameInformation
FltSetCallbackDataDirty
FltReleaseFileNameInformation
FltGetRequestorProcess
FltGetDiskDeviceObject

Sections

.text
Size: 126KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a69641a2d6b1bcc02b103cc66b7dd830

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 126KB - Virtual size: 125KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 18KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 1024B

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 126KB - Virtual size: 125KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 18KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 1024B

.reloc
Size: 8KB - Virtual size: 8KB