Ntware[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Ntware.sys
Size

2.5MB
MD5

b33470e6f036b3a08d48f54bc689f64b
SHA1

578c1e0ddce85b3529cfd8fe57378e6b892ba4f0
SHA256

3311dcce9844f5b3c7a671b341b3e1e129dc1d72c6f240d3f661d5ba724fea7f
SHA512

71a3c5cfff9e56f26ff2250b17156795c99ada16908222bb6c136be3f9e756ffefcf9c1d1121bf9dad8c4debbc7dc12543939f148c7eb1df76768c7d1c8dbc6a
SSDEEP

49152:ealfhCtdXcJV82rNoogrQc806Pb7niWbeCY3gqwYrhwbRgw5U0JkC9zcKfRS:rlfhCbUpNPzc800n/eOSwbRgSJPtR

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Ntware.sys

Files

Ntware.sys
.sys windows:10 windows x64 arch:x64

3bf17df88af4d2fe330ec7e591dbed0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInitUnicodeString
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

hal

KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 792B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3bf17df88af4d2fe330ec7e591dbed0b

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 21KB

.rdata Size: - Virtual size: 1KB

.data Size: - Virtual size: 56B

.pdata Size: - Virtual size: 420B

INIT Size: - Virtual size: 792B

.vmp0 Size: - Virtual size: 1.3MB

.vmp1 Size: 512B - Virtual size: 8B

.vmp2 Size: 2.5MB - Virtual size: 2.5MB

.reloc Size: 512B - Virtual size: 168B

.text
Size: - Virtual size: 21KB

.rdata
Size: - Virtual size: 1KB

.data
Size: - Virtual size: 56B

.pdata
Size: - Virtual size: 420B

INIT
Size: - Virtual size: 792B

.vmp0
Size: - Virtual size: 1.3MB

.vmp1
Size: 512B - Virtual size: 8B

.vmp2
Size: 2.5MB - Virtual size: 2.5MB

.reloc
Size: 512B - Virtual size: 168B