Static task
static1
General
-
Target
89fb49dfe25859953295c49723cd03d1344b0814ebeb7f755e2527acd2b5664f
-
Size
37KB
-
MD5
f3e9fdce6cdb08bc95dc015a1c6e1dee
-
SHA1
dad31a97a562001fbdbcb84a783fca63b9aca7e0
-
SHA256
89fb49dfe25859953295c49723cd03d1344b0814ebeb7f755e2527acd2b5664f
-
SHA512
817ab0af5529569a5d3015db4dbcb161d8a8cbcdbb85c23d18dd1181721d567b33d915d73c01e86304bef12a85b3957fca91ed7cefaa6255e6ca155ec25bbc01
-
SSDEEP
768:yfDLtOwDI5uzkPgwtgdbDro5dBCxsHvRXb3r:ytXDquAIHuBCxob3r
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 89fb49dfe25859953295c49723cd03d1344b0814ebeb7f755e2527acd2b5664f
Files
-
89fb49dfe25859953295c49723cd03d1344b0814ebeb7f755e2527acd2b5664f.sys windows:6 windows x86
e2d17e26ef38f41e36b0a91ccac6f15d
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
ProbeForWrite
ProbeForRead
RtlUnwind
KeTickCount
memcpy
PsGetCurrentProcessId
InitSafeBootMode
PsGetVersion
IoCreateDevice
IoCreateSymbolicLink
RtlInitUnicodeString
RtlCompareUnicodeString
IoDeleteSymbolicLink
IoDeleteDevice
IofCompleteRequest
KeInitializeEvent
ExAllocatePool
MmIsAddressValid
RtlEqualUnicodeString
ExFreePoolWithTag
IoFreeMdl
MmMapLockedPagesSpecifyCache
DbgPrint
MmGetSystemRoutineAddress
KeQueryTimeIncrement
_alldiv
_allmul
KeDelayExecutionThread
RtlAppendUnicodeStringToString
ExRaiseStatus
IoVolumeDeviceToDosName
ZwClose
ZwReadFile
ZwQueryInformationFile
ZwOpenFile
RtlQueryRegistryValues
ObfDereferenceObject
IoGetDeviceObjectPointer
_wcsnicmp
memmove
ObOpenObjectByPointer
PsProcessType
KeInitializeMutex
KeReleaseMutex
KeWaitForSingleObject
IoFreeWorkItem
IoQueueWorkItem
IoAllocateWorkItem
PsTerminateSystemThread
PsLookupProcessByProcessId
KeSetEvent
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByHandle
PsCreateSystemThread
RtlGetVersion
MmMapLockedPages
IoReleaseRemoveLockEx
IoAcquireRemoveLockEx
IoInitializeRemoveLockEx
KeBugCheckEx
memset
ExAllocatePoolWithTag
hal
ExReleaseFastMutex
KeGetCurrentIrql
ExAcquireFastMutex
KfAcquireSpinLock
KfReleaseSpinLock
fwpkclnt.sys
FwpmFilterAdd0
FwpmEngineOpen0
FwpmBfeStateGet0
FwpmBfeStateSubscribeChanges0
FwpmTransactionBegin0
FwpmTransactionCommit0
FwpmEngineClose0
FwpmCalloutDeleteById0
FwpsCalloutUnregisterById0
FwpmBfeStateUnsubscribeChanges0
FwpmCalloutAdd0
FwpsCalloutRegister0
FwpmTransactionAbort0
fltmgr.sys
FltCreateCommunicationPort
FltUnregisterFilter
FltCloseCommunicationPort
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseClientPort
FltFreeSecurityDescriptor
FltStartFiltering
Sections
.text Size: 26KB - Virtual size: 26KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 808B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ