s[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

s.sys
Size

17KB
MD5

f7a24a57220627c5107ad3d62b59f605
SHA1

e67d3b113b9dc7500de48c81d9ee1851ea479577
SHA256

3f8b597b6ca2320155922be4a7d6ac69ea26a67137a017767c524d6802036c85
SHA512

35f0881f43891939294108f8192e2d709e79eee50c2fe28bb4aa03565371e9e8ed98fad2ad1c77bda7c6cca1a32570f4a7a55bc9bb7a219e712b67612fef4f3b
SSDEEP

192:fLEPbewH1BVZYewzNZEc+Pb0Z7u6lFgMOcnT:wPywvyzNmALlFnOc

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
s.sys

Files

s.sys
.sys windows:10 windows x64 arch:x64

9cd3a2254af2c5c16a99addca383bf7f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

MmIsAddressValid
ExAllocatePool
RtlAnsiStringToUnicodeString
ZwQuerySystemInformation
RtlEqualUnicodeString
RtlRandomEx
ObfDereferenceObject
RtlFreeUnicodeString
RtlInitUnicodeString
MmGetPhysicalAddress
strcmp
IoGetDeviceObjectPointer
RtlInitAnsiString
MmGetSystemRoutineAddress
ExFreePoolWithTag
ObReferenceObjectByName
ZwTerminateProcess
MmMapLockedPagesSpecifyCache
IofCompleteRequest
MmAllocateContiguousMemory
IoDriverObjectType
ZwOpenProcess

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 746B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE