Static task
static1
General
-
Target
c5b04a72a825e3bd69053cc234d1d25db8493d091666036cc10572cf04ee97c9
-
Size
2.0MB
-
MD5
4d453cef9f3d3210ebb1b4e4e5b6c1af
-
SHA1
4d358680609f317bf53c4b992867078d1c77f27e
-
SHA256
c5b04a72a825e3bd69053cc234d1d25db8493d091666036cc10572cf04ee97c9
-
SHA512
8a0abf4fdde4a4c315e6cae4fe5187cd07449b6216606918dbf3d4e207001f2927e1fefa659913e5693cf20e70231bfc8f43e790c8abfd811f3a478a43576239
-
SSDEEP
24576:EnPCSOQ+a6i4v6594gPuPP18IBSldive37SohpOQgK7GDMl2dbLoEJGNQnoN:8PCSOsxT4gPuX5Y36K7lOFK7t4pUYoN
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource c5b04a72a825e3bd69053cc234d1d25db8493d091666036cc10572cf04ee97c9
Files
-
c5b04a72a825e3bd69053cc234d1d25db8493d091666036cc10572cf04ee97c9.sys windows:10 windows x64
7fdd92e158e22caf79f8c18d1ac409ca
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntoskrnl.exe
ExAllocatePoolWithTag
ExFreePoolWithTag
MmUnlockPages
IoFreeMdl
ObReferenceObjectByHandle
ObReferenceObjectByHandleWithTag
ObCloseHandle
ObfDereferenceObject
ZwClose
IoCreateFileEx
MmFlushImageSection
ZwDeleteFile
IoFileObjectType
_strnicmp
RtlUpperChar
MmHighestUserAddress
KeGetCurrentIrql
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
PsGetVersion
IoAllocateMdl
IoGetCurrentProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ZwAllocateVirtualMemory
__C_specific_handler
MmSystemRangeStart
MmUserProbeAddress
_wcsnicmp
RtlAppendUnicodeStringToString
KeAreAllApcsDisabled
ExRaiseStatus
ExQueueWorkItem
IoCreateFile
IoGetDeviceObjectPointer
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
MmIsAddressValid
IoVolumeDeviceToDosName
ZwOpenDirectoryObject
KeDelayExecutionThread
KeAreApcsDisabled
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
ExAcquireRundownProtection
ExReleaseRundownProtection
ObfReferenceObject
KeWaitForSingleObject
PsGetThreadProcessId
ZwTerminateProcess
PsIsSystemThread
ObOpenObjectByPointer
ObGetObjectType
ExfAcquirePushLockShared
ExfReleasePushLock
ZwQuerySystemInformation
ZwQueryInformationProcess
PsProcessType
PsThreadType
PsInitialSystemProcess
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
_stricmp
RtlCompareMemory
KeQueryActiveProcessorCountEx
ExEnterCriticalRegionAndAcquireResourceShared
PsGetCurrentThreadId
IoDriverObjectType
towlower
strncpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
ExInitializeResourceLite
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
ObRegisterCallbacks
ObGetFilterVersion
ExUuidCreate
PsSetCreateProcessNotifyRoutine
ZwQueryVirtualMemory
_vsnwprintf
RtlPcToFileHeader
PsGetProcessSectionBaseAddress
IoCreateDriver
KdDebuggerEnabled
KeBugCheckEx
KeSetEvent
KeInitializeEvent
Sections
.text Size: 44KB - Virtual size: 44KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 2KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 864B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 1.9MB - Virtual size: 1.9MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE