General
-
Target
8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
-
Size
59KB
-
MD5
491aec2249ad8e2020f9f9b559ab68a8
-
SHA1
8692274681e8d10c26ddf2b993f31974b04f5bf0
-
SHA256
8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
-
SHA512
473b18825081094f34fb3ee72a349d44f16a850136a64573998a80a1b4f8b1e2e41920087f36cfd9f7e27afcaaaae598eecf4852d036eeac7b463d8049a30f67
-
SSDEEP
1536:b9M1+VhfVezgZ/mwtpkejfOv8ShmGRmC:b9MMey/mwnkIfOvrmi
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
Files
-
8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e.sys windows:4 windows x86 arch:x86
f3480dd4af390855eb7d0694543b955b
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
strlen
IoFreeMdl
MmMapLockedPagesSpecifyCache
ZwClose
IofCompleteRequest
KeResetEvent
InterlockedIncrement
KeSetEvent
InterlockedDecrement
RtlUnicodeStringToInteger
RtlInitUnicodeString
KeInitializeEvent
wcsncmp
wcscat
wcslen
wcscpy
MmBuildMdlForNonPagedPool
IoAllocateMdl
strncmp
MmMapLockedPages
MmProbeAndLockPages
MmUnlockPages
MmUnmapLockedPages
RtlFreeUnicodeString
ZwWriteFile
ZwCreateFile
RtlAnsiStringToUnicodeString
strcat
ZwReadFile
ZwQueryInformationFile
_wcsnicmp
strcmp
_stricmp
MmGetSystemRoutineAddress
ZwQueryValueKey
ZwOpenKey
IoCreateFile
KeWaitForMultipleObjects
strcpy
RtlUnwind
vsprintf
KeWaitForSingleObject
KeDelayExecutionThread
PsTerminateSystemThread
PsCreateSystemThread
ObReferenceObjectByHandle
ExFreePool
KeInitializeSpinLock
KeTickCount
memset
memcpy
RtlCompareUnicodeString
ExAllocatePoolWithTag
PsGetVersion
ZwTerminateProcess
ZwOpenProcess
RtlSetDaclSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlLengthSid
RtlCreateSecurityDescriptor
ZwWaitForSingleObject
NtFsControlFile
NtWriteFile
NtReadFile
RtlLengthRequiredSid
RtlImageDirectoryEntryToData
ZwQueryInformationProcess
ZwQuerySystemInformation
PsLookupProcessByProcessId
KeAttachProcess
KeDetachProcess
PsLookupThreadByThreadId
KeInitializeApc
KeInsertQueueApc
ZwOpenFile
ZwDeviceIoControlFile
PsThreadType
NtQuerySystemInformation
hal
KfAcquireSpinLock
KfReleaseSpinLock
ndis.sys
NdisAllocateMemory
NdisAllocatePacket
NdisCopyFromPacketToPacket
NdisFreePacket
NdisAllocateBuffer
NdisDeregisterProtocol
NdisRegisterProtocol
NdisAllocateBufferPool
NdisAllocatePacketPool
NdisFreeBufferPool
NdisFreePacketPool
NdisFreeMemory
Sections
.text Size: 38KB - Virtual size: 37KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 776KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp1 Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ