mbam[.]sys | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

mbam.sys
Size

76KB
MD5

113e213914c40631aedef185984c5629
SHA1

57bf886bfe1e4d765ea43e4c91709a5c4a9a024a
SHA256

d314cea3ba19c49342763fca6b64a33f12d730a8fa531ed9f7e75675035ba004
SHA512

76d7286963f28430d8a9bc3b59adf209b5fceb6a5248b7be54c60fff0b931ba2cf46a779f7e66008baa0853ad6ce55a4b9dd56e33574230d1e2588f7679630b8
SSDEEP

1536:QkEElCu6gM/8il90G7j0xK4TnUUM3f9k9xzDq:3zB6gGJ0A0xK4Tn1MVkjS

Score

1^/10

Malware Config

Signatures

Files

mbam.sys
.sys windows:10 windows x64 arch:x64

865dfff333a22ccd9d96b9a9fc534da1

Code Sign

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14/09/2023, 19:14

Not After

04/09/2024, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e0:a4:19:fe:d3:7d:57:b4:eb:f0:88:7e:19:f9:43:a7:f0:9c:d4:26:bb:a5:a3:dd:30:4d:38:57:9e:74:04:96
Signer

Actual PE Digest

e0:a4:19:fe:d3:7d:57:b4:eb:f0:88:7e:19:f9:43:a7:f0:9c:d4:26:bb:a5:a3:dd:30:4d:38:57:9e:74:04:96

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\jenkins\workspace\N_Rtp_Kernel\bin\x64\Win7_Release\mbam.pdb

Imports

fltmgr.sys

FltCreateFileEx
FltReadFile
FltQueryInformationFile
FltClose
FltSendMessage
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltWriteFile
FltSetInformationFile
FltAllocateContext
FltSetInstanceContext
FltSetStreamHandleContext
FltGetInstanceContext
FltGetStreamHandleContext
FltReleaseContext
FltGetVolumeFromName
FltGetVolumeInstanceFromName
FltGetVolumeFromFileObject
FltObjectDereference
FltAllocateGenericWorkItem
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltGetRequestorProcessId
FltFindExtraCreateParameter
FltGetEcpListFromCallbackData
FltIsEcpFromUserMode
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltCreateCommunicationPort
FltCloseCommunicationPort
FltCloseClientPort
FltGetDiskDeviceObject

ntoskrnl.exe

KeSetEvent
KeEnterGuardedRegion
KeLeaveGuardedRegion
KeWaitForMultipleObjects
KeWaitForSingleObject
ExAllocatePoolWithTag
ExFreePoolWithTag
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceLite
ExReleaseResourceAndLeaveCriticalRegion
ExDeleteResourceLite
PsCreateSystemThread
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
__C_specific_handler
PsThreadType
RtlCompareUnicodeString
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlIsGenericTableEmptyAvl
RtlIntegerToUnicodeString
RtlInt64ToUnicodeString
RtlInitUnicodeString
RtlEqualUnicodeString
KeResetEvent
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExEnterCriticalRegionAndAcquireResourceShared
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
ObfReferenceObject
ZwCreateFile
ZwQueryInformationFile
ZwReadFile
RtlPrefixUnicodeString
MmIsAddressValid
ZwTerminateProcess
ZwOpenProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
sprintf
_vsnwprintf
RtlFreeUnicodeString
ZwQuerySystemInformation
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
VerSetConditionMask
RtlGetVersion
RtlVerifyVersionInfo
KeDelayExecutionThread
MmGetSystemRoutineAddress
IoWMIRegistrationControl
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetCurrentProcessId
RtlLengthRequiredSid
RtlInitializeSid
RtlSubAuthoritySid
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoVolumeDeviceToDosName
toupper
towupper
wcschr
ProbeForRead
IoGetDeviceObjectPointer
ZwOpenFile
RtlVolumeDeviceToDosName
FsRtlDissectName
ZwQueryInformationProcess
IoFileObjectType
PsProcessType
KeBugCheckEx
KeInitializeEvent
RtlCopyUnicodeString

hal

KeQueryPerformanceCounter

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

865dfff333a22ccd9d96b9a9fc534da1

Code Sign

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

e0:a4:19:fe:d3:7d:57:b4:eb:f0:88:7e:19:f9:43:a7:f0:9c:d4:26:bb:a5:a3:dd:30:4d:38:57:9e:74:04:96Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fltmgr.sys

ntoskrnl.exe

hal

Sections

.text Size: 51KB - Virtual size: 51KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 1KB - Virtual size: 1KB

PAGE Size: 1KB - Virtual size: 1KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 960B

.reloc Size: 512B - Virtual size: 52B

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

e0:a4:19:fe:d3:7d:57:b4:eb:f0:88:7e:19:f9:43:a7:f0:9c:d4:26:bb:a5:a3:dd:30:4d:38:57:9e:74:04:96
Signer

.text
Size: 51KB - Virtual size: 51KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

PAGE
Size: 1KB - Virtual size: 1KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 960B

.reloc
Size: 512B - Virtual size: 52B