RwDrv[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

RwDrv.sys
Size

21KB
MD5

60e84516c6ec6dfdae7b422d1f7cab06
SHA1

66e95daee3d1244a029d7f3d91915f1f233d1916
SHA256

d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d
SHA512

d9cd37b62bfaf307bd16ee99031f5ec85fdf0f020addfe49948951c0206d778042c61e69200fb202013bc260c955e05be721782259486df82a0f5c79e242212b
SSDEEP

384:jstJEZ68E7B1zdjfFNVjkNY0Hm5yyOtd0Pn2KSYhPLjYM:jstJEZ68CvdjxoNYCm5yyed0P2Lw

Score

1^/10

Malware Config

Signatures

Files

RwDrv.sys
.sys windows:6 windows x64 arch:x64

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

31/07/2012, 20:41

Not After

01/08/2013, 20:41

Subject

CN=ChongKim Chan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

Actual PE Digest

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
ExFreePoolWithTag
IoRegisterPlugPlayNotification
MmFreeContiguousMemorySpecifyCache
RtlInitUnicodeString
IoDeleteDevice
IoFreeWorkItem
KeInitializeEvent
RtlQueryRegistryValues
KeReleaseSpinLock
MmUnmapIoSpace
IoFreeMdl
MmGetPhysicalAddress
IoGetDeviceObjectPointer
IoBuildAsynchronousFsdRequest
ExInterlockedInsertTailList
IoBuildDeviceIoControlRequest
MmMapIoSpace
IoUnregisterPlugPlayNotification
IofCompleteRequest
KeWaitForSingleObject
IoFreeIrp
RtlCompareMemory
MmUnlockPages
IoCreateSymbolicLink
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
IoQueueWorkItem
MmAllocateContiguousMemorySpecifyCache
IofCallDriver
KeAcquireSpinLockRaiseToDpc
KeBugCheckEx
IoAllocateWorkItem
ExAllocatePoolWithTag

hal

KeStallExecutionProcessor

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 764B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

955e7b12a8fa06444c68e54026c45de1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ffCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48Signer

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 764B

.data Size: 512B - Virtual size: 272B

.pdata Size: 512B - Virtual size: 276B

INIT Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 880B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:8f:56:da:fd:75:42:d5:f3:d7:0b:21:3e:2a:54:6c:ff
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

39:25:7f:b8:6d:f8:88:20:7e:4f:3a:77:68:56:1b:4a:b1:55:78:48
Signer

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 764B

.data
Size: 512B - Virtual size: 272B

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 880B