Static task
static1
General
-
Target
ddf10685ca84acbed6be04194152076a3633838b7e651c2a08a30761b02b93b1
-
Size
1.9MB
-
MD5
7230dd74a2630580afb4c4faa831daee
-
SHA1
e42eccfd89a312c2b0bd3be0183d072e7d533b14
-
SHA256
ddf10685ca84acbed6be04194152076a3633838b7e651c2a08a30761b02b93b1
-
SHA512
c4d15a56828e0291176250c84a241f4df702956e05e00dbe4c2ae8632c0e0b970d3f56afddaaeed58c8dac7f978021e6505a0d5ef25c2c3c586a833f7f26dc92
-
SSDEEP
24576:6VTDZVvrVMKcebbhXHfIc5l8T7q+BjZuS3OcFb2QnqPu9zOYvin6/v/fNTeDoNy4:6VTDZV2KcEbmcQ7qwCIAhZGwpWc3CImD
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource ddf10685ca84acbed6be04194152076a3633838b7e651c2a08a30761b02b93b1
Files
-
ddf10685ca84acbed6be04194152076a3633838b7e651c2a08a30761b02b93b1.sys windows:10 windows x64 arch:x64
fddea36cc99d6a4410a0b54858047212
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntoskrnl.exe
PsAcquireProcessExitSynchronization
PsReleaseProcessExitSynchronization
KeSetEvent
ExEventObjectType
wcscat_s
ZwClose
ZwCreateKey
ZwOpenKey
ZwDeleteKey
ZwSetValueKey
ZwDeleteFile
KeAreAllApcsDisabled
KeDeregisterBugCheckReasonCallback
KeRegisterBugCheckReasonCallback
IoCreateNotificationEvent
KeInitializeGuardedMutex
strcpy_s
RtlInitAnsiString
RtlAnsiStringToUnicodeString
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
PsGetCurrentThreadId
PsGetProcessCreateTimeQuadPart
PsGetProcessExitStatus
PsGetProcessPeb
ObOpenObjectByPointer
PsGetProcessSessionId
PsGetProcessInheritedFromUniqueProcessId
ZwFreeVirtualMemory
PsReferenceProcessFilePointer
ZwCreateFile
ZwDeviceIoControlFile
RtlNtStatusToDosError
ZwFsControlFile
ZwWaitForSingleObject
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
PsGetThreadId
IoFileObjectType
ExSemaphoreObjectType
PsProcessType
PsThreadType
PsJobType
SeTokenObjectType
ObReferenceObjectByHandle
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
RtlFreeUnicodeString
KeIpiGenericCall
ProbeForWrite
PsCreateSystemThread
RtlRandomEx
KeClearEvent
IoCreateDevice
IoCreateSymbolicLink
IoRegisterShutdownNotification
IoUnregisterShutdownNotification
MmUnsecureVirtualMemory
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
IoAllocateMdl
IoFreeMdl
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlIsGenericTableEmptyAvl
RtlUpcaseUnicodeString
RtlTimeToTimeFields
ExSystemTimeToLocalTime
RtlEqualUnicodeString
RtlCopyUnicodeString
RtlWalkFrameChain
KeWaitForMultipleObjects
PsGetProcessId
KeTryToAcquireGuardedMutex
ObfReferenceObject
ObDereferenceObjectDeferDelete
PsIsThreadTerminating
PsGetThreadProcess
KeInitializeDpc
KeSetTargetProcessorDpc
KeFlushQueuedDpcs
KeInitializeTimer
KeSetTimer
KeQueryActiveProcessorCountEx
KeGetCurrentProcessorNumberEx
RtlIntegerToUnicodeString
RtlAppendUnicodeToString
SeQuerySessionIdToken
PsReferencePrimaryToken
PsDereferencePrimaryToken
ObQueryNameString
KeUnstackDetachProcess
KeCancelTimer
KeSetTimerEx
PsSetCreateProcessNotifyRoutineEx
KeDelayExecutionThread
KeQueryTimeIncrement
KeQueryActiveProcessors
MmGetSystemRoutineAddress
MmBuildMdlForNonPagedPool
PsGetVersion
MmUserProbeAddress
PsGetProcessImageFileName
ZwFlushKey
ZwQueryValueKey
RtlCompareMemory
ExAcquireRundownProtection
ExReleaseRundownProtection
PsGetThreadProcessId
IoVolumeDeviceToDosName
PsInitialSystemProcess
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlInsertElementGenericTableFullAvl
MmGetVirtualForPhysical
IoDriverObjectType
RtlUnicodeStringToInteger
RtlInt64ToUnicodeString
KeNumberProcessors
RtlCompareString
RtlEnumerateGenericTableWithoutSplayingAvl
ZwOpenThread
ZwOpenDirectoryObject
ZwEnumerateKey
IoCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
IoCreateFileSpecifyDeviceObjectHint
NtQueryDirectoryFile
IoGetBaseFileSystemDeviceObject
IoQueryFileInformation
ProbeForRead
PsGetProcessWow64Process
RtlImageDirectoryEntryToData
RtlQueryAtomInAtomTable
PsGetThreadWin32Thread
MmAllocateContiguousMemory
MmProtectMdlSystemAddress
ZwQueryObject
NtClose
ObGetObjectType
ExAcquireFastMutex
ExReleaseFastMutex
RtlUpcaseUnicodeChar
RtlUpcaseUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN
ZwQuerySystemInformation
ZwSetSecurityObject
IoDeviceObjectType
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetSaclSecurityDescriptor
SeCaptureSecurityDescriptor
_snwprintf
RtlLengthSecurityDescriptor
SeExports
RtlCreateSecurityDescriptor
wcschr
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedAce
RtlLengthSid
IoIsWdmVersionAvailable
RtlSetDaclSecurityDescriptor
ExAllocatePoolWithTag
KeReleaseGuardedMutex
KeAcquireGuardedMutex
RtlCompareUnicodeString
__C_specific_handler
RtlAppendStringToString
RtlPrefixUnicodeString
ObfDereferenceObject
IoGetAttachedDeviceReference
IofCallDriver
IoBuildSynchronousFsdRequest
ExFreePoolWithTag
ExAllocatePool
KeWaitForSingleObject
KeInitializeEvent
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlInitUnicodeString
PsGetCurrentProcessId
IoGetCurrentProcess
KeBugCheckEx
PsLookupProcessByProcessId
MmIsAddressValid
MmGetPhysicalAddress
KeInitializeTimerEx
KeStackAttachProcess
MmGetPhysicalMemoryRanges
PsLookupThreadByThreadId
ZwQueryInformationThread
KeInitializeApc
KeInsertQueueApc
MmAllocateMappingAddress
MmFreeMappingAddress
ZwOpenProcess
ZwDeleteValueKey
ZwCreateSection
MmMapViewInSystemSpace
MmUnmapViewInSystemSpace
RtlGetVersion
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
RtlAppendUnicodeStringToString
ZwUnloadDriver
ZwQueryInformationProcess
PsIsSystemThread
KeAreApcsDisabled
HalDispatchTable
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeGetProcessorNumberFromIndex
MmFreeContiguousMemory
MmProbeAndLockProcessPages
ObReferenceObjectByName
IoAllocateIrp
IoFreeIrp
wcsncpy_s
IoGetLowerDeviceObject
CcCoherencyFlushAndPurgeCache
ExFreePool
PsTerminateSystemThread
MmUnmapIoSpace
ZwLoadDriver
MmMapIoSpace
fltmgr.sys
FltSetInformationFile
FltReleaseFileNameInformation
FltEnumerateFilters
FltStartFiltering
FltUnregisterFilter
FltRegisterFilter
FltObjectDereference
FltEnumerateInstances
FltGetVolumeProperties
FltGetVolumeFromInstance
FltClose
FltGetFileNameInformationUnsafe
FltWriteFile
FltReadFile
FltCreateFileEx
FltGetVolumeName
FltParseFileNameInformation
FltGetFileNameInformation
FltFreePoolAlignedWithTag
FltAllocatePoolAlignedWithTag
FltGetRequestorProcessId
hidparse.sys
HidP_GetCollectionDescription
hal
KeStallExecutionProcessor
HalGetBusDataByOffset
KeQueryPerformanceCounter
Sections
.text Size: 680KB - Virtual size: 680KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 290KB - Virtual size: 289KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 9KB - Virtual size: 2.0MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 29KB - Virtual size: 29KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
PAGE Size: 7KB - Virtual size: 6KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
INIT Size: 9KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 1000B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 468B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.tvm0 Size: 856KB - Virtual size: 856KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ