Static task
static1
General
-
Target
20435645c83e004fd86ac650b5e1ada06e7168612582edae6b380b2b2818f889
-
Size
13.6MB
-
MD5
bc3ca50a1290c1b0dc9682a27238e91e
-
SHA1
4b07b6cbddd0fa88db84348a019d5d3a1382416f
-
SHA256
20435645c83e004fd86ac650b5e1ada06e7168612582edae6b380b2b2818f889
-
SHA512
30e72a3498c68163285b422eafadaa7fd7909960f20393f8486da2379944ea031f253a0dc785bee0efcbfe0704a55843229b7350863a13354633d4aaddcc9974
-
SSDEEP
393216:g/yGvq9POYnSw66L5zenDU7cFKNj+04EQ3hl:QyGGPOYSwjNig7c+4EQ3hl
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 20435645c83e004fd86ac650b5e1ada06e7168612582edae6b380b2b2818f889
Files
-
20435645c83e004fd86ac650b5e1ada06e7168612582edae6b380b2b2818f889.sys windows:10 windows x64
8adeccd4b983e715a489075275398eae
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
fltmgr.sys
FltObjectDereference
FltEnumerateFilters
ndis.sys
NdisGetVersion
ksecdd.sys
SecLookupAccountSid
ntoskrnl.exe
ExFreePoolWithTag
ProbeForRead
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
ExGetPreviousMode
ObReferenceObjectByHandle
ObCloseHandle
ZwClose
MmGetPhysicalAddress
MmIsAddressValid
PsGetCurrentProcessId
RtlRandom
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ObOpenObjectByPointer
ObIsKernelHandle
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
PsLookupProcessThreadByCid
__C_specific_handler
CmKeyObjectType
IoFileObjectType
PsProcessType
PsThreadType
MmHighestUserAddress
MmSystemRangeStart
MmUserProbeAddress
PsInitialSystemProcess
IoDriverObjectType
IoDeviceObjectType
KeDelayExecutionThread
ExInitializeLookasideListEx
ExDeleteLookasideListEx
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetCurrentProcess
RtlPcToFileHeader
wcsrchr
_wcsicmp
_wcsnicmp
RtlUnicodeStringToInteger
RtlCompareUnicodeString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
MmProbeAndLockPages
MmUnlockPages
MmBuildMdlForNonPagedPool
IoAllocateIrp
IoAllocateMdl
IofCallDriver
IoCreateFile
IoFreeIrp
IoFreeMdl
IoGetDeviceObjectPointer
IoGetRelatedDeviceObject
ZwCreateFile
ZwOpenFile
ZwReadFile
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlGetElementGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlUpcaseUnicodeString
MmIsNonPagedSystemAddressValid
MmMapViewInSystemSpace
MmUnmapViewInSystemSpace
IoGetFileObjectGenericMapping
IoCreateFileSpecifyDeviceObjectHint
KeAcquireQueuedSpinLock
KeReleaseQueuedSpinLock
ObInsertObject
ZwQueryObject
ZwOpenDirectoryObject
_vsnwprintf
ObCreateObject
ObReferenceObjectByName
MmCreateSection
SeCreateAccessState
ZwQueryDirectoryObject
NtBuildNumber
DbgSetDebugPrintCallback
KeEnterGuardedRegion
KeLeaveGuardedRegion
KeAcquireSpinLockAtDpcLevel
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
KeReleaseSpinLockFromDpcLevel
KeDeregisterNmiCallback
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAcquireFastMutexUnsafe
ExReleaseFastMutexUnsafe
ExAcquireFastMutex
ExReleaseFastMutex
ExEnterCriticalRegionAndAcquireResourceShared
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
ExWaitForRundownProtectionRelease
ExAcquireSpinLockSharedAtDpcLevel
ExAcquireSpinLockShared
ExReleaseSpinLockSharedFromDpcLevel
ExReleaseSpinLockShared
CmUnRegisterCallback
MmUnlockPagableImageSection
IoStopTimer
IoUnregisterContainerNotification
PoUnregisterPowerSettingCallback
RtlNumberGenericTableElementsAvl
RtlFreeAnsiString
SeUnregisterLogonSessionTerminatedRoutine
KeInitializeDpc
ExAllocatePoolWithTag
KeAreApcsDisabled
KeQueryActiveProcessorCountEx
PsIsSystemThread
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock
KeGenericCallDpc
KeSignalCallDpcDone
KeSignalCallDpcSynchronize
KeReleaseMutex
ExDeletePagedLookasideList
RtlLengthSid
SeQueryAuthenticationIdToken
SeQueryInformationToken
PsReferencePrimaryToken
PsDereferencePrimaryToken
PsGetProcessSessionId
RtlFreeUnicodeString
ZwCreateKey
ZwOpenKey
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmIsDriverVerifying
KeAreAllApcsDisabled
ExRaiseStatus
ExQueueWorkItem
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoVolumeDeviceToDosName
ZwQueryVolumeInformationFile
ObQueryNameString
RtlInitAnsiStringEx
RtlAnsiStringToUnicodeString
RtlStringFromGUID
NtQueryInformationTransactionManager
NtQueryInformationTransaction
NtQueryInformationEnlistment
NtQueryInformationResourceManager
KeInitializeTimerEx
KeCancelTimer
KeSetTimerEx
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
ExAcquireRundownProtection
ExReleaseRundownProtection
PsTerminateSystemThread
ZwTerminateProcess
NtQueryInformationToken
NtClose
SeLocateProcessImageName
PsIsThreadTerminating
PsLookupThreadByThreadId
ZwQueryVirtualMemory
ExEnumHandleTable
ExfUnblockPushLock
ObGetObjectType
MmMapViewOfSection
MmUnmapViewOfSection
KeQueryPrcbAddress
KeInsertQueueApc
KeInitializeApc
ZwQuerySection
PsReferenceProcessFilePointer
KdDebuggerEnabled
MmSectionObjectType
towupper
RtlHashUnicodeString
RtlFindNextForwardRunClear
KeFlushQueuedDpcs
KeInitializeMutex
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeIpiGenericCall
KeQueryTimeIncrement
KeQueryHighestNodeNumber
KeGetProcessorNumberFromIndex
ExAllocatePoolWithQuotaTag
ExInitializePagedLookasideList
ExSetTimerResolution
ExUnregisterCallback
MmSizeOfMdl
PsCreateSystemThread
PsGetVersion
RtlEnumerateGenericTableAvl
RtlWalkFrameChain
MmGetVirtualForPhysical
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetCurrentThreadId
RtlCaptureContext
PsGetProcessExitTime
ObMakeTemporaryObject
ZwQuerySystemInformation
ZwQueryInformationProcess
ZwQueryInformationThread
RtlLookupFunctionEntry
RtlVirtualUnwind
KeCapturePersistentThreadState
strncmp
_strnicmp
RtlInitAnsiString
MmAllocateContiguousMemory
MmFreeContiguousMemory
RtlCompareString
KeBugCheckEx
KeLeaveCriticalRegion
RtlUnicodeStringToAnsiString
ObfDereferenceObject
KeEnterCriticalRegion
KeGetCurrentIrql
ObfReferenceObject
RtlCompareMemory
MmLockPagableSectionByHandle
hal
KeStallExecutionProcessor
Sections
.text Size: 472KB - Virtual size: 472KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 60KB - Virtual size: 60KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.[}w Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.sI: Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.vlizer Size: 600KB - Virtual size: 600KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.`?] Size: 5.5MB - Virtual size: 5.5MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.*u1 Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.uiM Size: 6.9MB - Virtual size: 6.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 760B - Virtual size: 760B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.l1 Size: 14KB - Virtual size: 14KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE