c4820679ea0376aa2e2a5fede4b13ec4f773576fb37d49ca80153d5a5bc64f95[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

c4820679ea0376aa2e2a5fede4b13ec4f773576fb37d49ca80153d5a5bc64f95.zip
Size

50KB
MD5

bd143561757a20c6058e18d4d4288600
SHA1

4503f8ff568160e79c5272702da7061647357cc7
SHA256

5ead897712cf04ed723b93f42413bd06dc3bb43d4f6abe5c25885522606a7a3f
SHA512

29d0d807ea7f101200e75e65101ac215694b5b8413ac2221f6de8396e022c97c83b535cef8e9c967ddb4fb698403fa20687aca1ff93dea456bf6bcae0319a2f6
SSDEEP

1536:W0n/1vndUDTTKdv+MhtB158E7OyH8EMxf:x9vndUXTajhL70T

Score

1^/10

Malware Config

Signatures

Files

c4820679ea0376aa2e2a5fede4b13ec4f773576fb37d49ca80153d5a5bc64f95.zip
.zip

Password: infected
dumpfve.sys
.dll windows:10 windows x64

2eb729e8f73eeab7a8ac5aa013cd3ee4

Code Sign

33:00:00:06:30:40:da:69:cf:31:09:00:eb:00:00:00:00:06:30
Certificate

Issuer

CN=Microsoft Development PCA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30-06-2022 17:59

Not After

15-09-2023 17:59

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Development Root Certificate Authority 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28-05-2014 17:33

Not After

28-05-2029 17:43

Subject

CN=Microsoft Development PCA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

20:97:81:2b:76:f5:98:af:a8:fb:89:7d:d1:43:5a:83:39:73:21:f4:c5:a2:36:42:5c:10:e8:f2:4e:08:68:f2
Signer

Actual PE Digest

20:97:81:2b:76:f5:98:af:a8:fb:89:7d:d1:43:5a:83:39:73:21:f4:c5:a2:36:42:5c:10:e8:f2:4e:08:68:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntoskrnl.exe

ObfDereferenceObject
ExCreateCallback
RtlInitUnicodeString
MmAllocateContiguousNodeMemory
MmFreeContiguousMemory
MmGetPhysicalAddress
IoBuildDeviceIoControlRequest
RtlQueryFeatureConfigurationChangeStamp
PoSetHiberRange
ExAllocatePool2
KeLowerIrql
RtlUnregisterFeatureConfigurationChangeNotification
IofCallDriver
ZwQueryValueKey
MmFreePagesFromMdl
RtlAppendUnicodeToString
KeInitializeEvent
KfRaiseIrql
MmUnmapLockedPages
MmMapLockedPagesSpecifyCache
KeWaitForSingleObject
ZwClose
ExUnregisterCallback
ZwOpenKey
RtlCompareMemory
ExIsSoftBoot
KeSweepLocalCaches
KeRestoreExtendedProcessorState
KeBugCheckEx
RtlGetEnabledExtendedFeatures
KeSaveExtendedProcessorState
RtlGetVersion
ExRegisterCallback
RtlQueryFeatureConfiguration
KeGetCurrentIrql
RtlRegisterFeatureConfigurationChangeNotification
ExFreePoolWithTag
MmAllocatePagesForMdlEx

ext-ms-win-ntos-ksr-l1-1-1

KsrMdlToMemoryRuns
KsrClaimPersistedMemory
KsrFreePersistedMemory
KsrPersistMemory
KsrEnumeratePersistedMemory
KsrGetFirmwareInformation

Exports

Exports

DumpPreInitialize
DumpUninitialize

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 4KB - Virtual size: 107B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 934B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GFIDS
Size: 4KB - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

2eb729e8f73eeab7a8ac5aa013cd3ee4

Code Sign

33:00:00:06:30:40:da:69:cf:31:09:00:eb:00:00:00:00:06:30Certificate

Extended Key Usages

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03Certificate

Key Usages

20:97:81:2b:76:f5:98:af:a8:fb:89:7d:d1:43:5a:83:39:73:21:f4:c5:a2:36:42:5c:10:e8:f2:4e:08:68:f2Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

ext-ms-win-ntos-ksr-l1-1-1

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 51KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 4KB - Virtual size: 380B

.pdata Size: 4KB - Virtual size: 2KB

.idata Size: 4KB - Virtual size: 1KB

PAGE Size: 4KB - Virtual size: 2KB

fothk Size: 4KB - Virtual size: 4KB

.edata Size: 4KB - Virtual size: 107B

INIT Size: 4KB - Virtual size: 934B

GFIDS Size: 4KB - Virtual size: 180B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 820B

33:00:00:06:30:40:da:69:cf:31:09:00:eb:00:00:00:00:06:30
Certificate

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03
Certificate

20:97:81:2b:76:f5:98:af:a8:fb:89:7d:d1:43:5a:83:39:73:21:f4:c5:a2:36:42:5c:10:e8:f2:4e:08:68:f2
Signer

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 4KB - Virtual size: 380B

.pdata
Size: 4KB - Virtual size: 2KB

.idata
Size: 4KB - Virtual size: 1KB

PAGE
Size: 4KB - Virtual size: 2KB

fothk
Size: 4KB - Virtual size: 4KB

.edata
Size: 4KB - Virtual size: 107B

INIT
Size: 4KB - Virtual size: 934B

GFIDS
Size: 4KB - Virtual size: 180B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 820B