rxx[.]sys | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

rxx.sys
Size

3.5MB
MD5

f95708e3a2ba8b78393f368e792f11e2
SHA1

62d68659b2ffa6733f4ee650a4e6867dcc911e90
SHA256

1c0d121d0cf1bf32b7521dd4ca197ead0973fd328fa19524564e60d02ad5f650
SHA512

1e127caef40ec471104c94b2610a89b9ff32bdc2975dc2ce1792d97bc3911ec68f84b4520bb41d6fe8b9ccb4c9608c1d0a14b40dc043672b6885fa500538127d
SSDEEP

49152:IKuId15Xg9TSfoD385sUNYN4p3mFv3pO4FfeglqpBgdWRGQCA9rM842K/jiwiJSm:IKly9KG3vhFvI6GbB0iGQLmDj0W2Ctut

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

rxx.sys
.sys windows:10 windows x64 arch:x64

b46debddc32eca54cb4aad6db1258ddf

Code Sign

20:8f:bb:37:ed:15:9e:8d:48:4b:04:6c:5a:17:24:58
Certificate

Issuer

CN=WDKTestCert User\,133212064982417608

Not Before

18/02/2023, 15:08

Not After

18/02/2033, 00:00

Subject

CN=WDKTestCert User\,133212064982417608

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageKeyEncipherment
KeyUsageDataEncipherment

c1:6c:db:2e:ae:a4:94:d6:ce:80:23:10:c8:e0:04:ae:78:3f:1b:80
Signer

Actual PE Digest

c1:6c:db:2e:ae:a4:94:d6:ce:80:23:10:c8:e0:04:ae:78:3f:1b:80

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

netio.sys

WskCaptureProviderNPI

ntoskrnl.exe

RtlUnicodeStringToAnsiString
_stricmp
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

hal

KeQueryPerformanceCounter
KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b46debddc32eca54cb4aad6db1258ddf

Code Sign

20:8f:bb:37:ed:15:9e:8d:48:4b:04:6c:5a:17:24:58Certificate

Extended Key Usages

Key Usages

c1:6c:db:2e:ae:a4:94:d6:ce:80:23:10:c8:e0:04:ae:78:3f:1b:80Signer

Headers

DLL Characteristics

File Characteristics

Imports

netio.sys

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 6KB

.rdata Size: - Virtual size: 1KB

.data Size: - Virtual size: 1KB

.pdata Size: - Virtual size: 420B

INIT Size: - Virtual size: 1KB

.vmp0 Size: - Virtual size: 2.3MB

.vmp1 Size: 512B - Virtual size: 8B

.vmp2 Size: 3.5MB - Virtual size: 3.5MB

.reloc Size: 512B - Virtual size: 172B

20:8f:bb:37:ed:15:9e:8d:48:4b:04:6c:5a:17:24:58
Certificate

c1:6c:db:2e:ae:a4:94:d6:ce:80:23:10:c8:e0:04:ae:78:3f:1b:80
Signer

.text
Size: - Virtual size: 6KB

.rdata
Size: - Virtual size: 1KB

.data
Size: - Virtual size: 1KB

.pdata
Size: - Virtual size: 420B

INIT
Size: - Virtual size: 1KB

.vmp0
Size: - Virtual size: 2.3MB

.vmp1
Size: 512B - Virtual size: 8B

.vmp2
Size: 3.5MB - Virtual size: 3.5MB

.reloc
Size: 512B - Virtual size: 172B