b564759998cd476e05c0ca568fa40b01

Sharing

Copy URL

Twitter E-mail

General

Target

b564759998cd476e05c0ca568fa40b01
Size

19KB
MD5

b564759998cd476e05c0ca568fa40b01
SHA1

7118ab67fc66c0cf7bef001497771d7b5fc6fcd7
SHA256

ade609286073f7d8018aad3c415bcfbe7e89c53d321133c0158ae8c1ed01e99b
SHA512

0c3cb524e125ba38712d50d89f196283c7b35fb68cc22b4ab5fbfef578cbdfee3d1765c14405873c141f9151a6f0d82c9bf1da2ae7bdf41e7e3b8c68532266a8
SSDEEP

384:rRaoFXj/fPhIhAtUdnBGcdrDbVU6fVbslkcMReC:rRaEXj/3udBnrvO6fVYlkcMn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b564759998cd476e05c0ca568fa40b01

Files

b564759998cd476e05c0ca568fa40b01
.sys windows:6 windows x86 arch:x86

790e86feb930b3ceb35c7783a7d6bf6a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb

Imports

ntoskrnl.exe

RtlInitUnicodeString
ZwClose
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ExAllocatePoolWithTag
_alldiv
ZwDeleteFile
swprintf
RtlRandom
memcpy
memset
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
_stricmp
ZwQuerySystemInformation
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
KeServiceDescriptorTable
MmIsAddressValid
KeAddSystemServiceTable
PsLookupProcessByProcessId
RtlEqualUnicodeString
ObfDereferenceObject
ZwTerminateProcess
ZwCreateFile
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeInitializeDpc
KeNumberProcessors
RtlImageNtHeader
KeUnstackDetachProcess
KeStackAttachProcess
ExAllocatePool
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
IoCreateSymbolicLink
IoCreateDevice
ProbeForRead
MmHighestUserAddress
ExGetPreviousMode
MmGetSystemRoutineAddress
PsTerminateSystemThread
KeWaitForSingleObject
ObReferenceObjectByHandle
PsCreateSystemThread
KeInitializeEvent
KeSetEvent
KeTickCount
KeBugCheckEx
RtlUnwind
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
ObOpenObjectByPointer
ExFreePoolWithTag

hal

KfAcquireSpinLock
KeStallExecutionProcessor
KfReleaseSpinLock

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 836B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 678B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

790e86feb930b3ceb35c7783a7d6bf6a

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 836B

.data Size: 512B - Virtual size: 372B

INIT Size: 2KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 678B

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 836B

.data
Size: 512B - Virtual size: 372B

INIT
Size: 2KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 678B