BthA2dp[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

BthA2dp.sys
Size

280KB
MD5

4e6f56f1c1a1418dc10733810346eb6e
SHA1

82b21abcbbef304f13c770add54f9bfea7804df7
SHA256

392e66d02aa2399b522555af76af728bd4b2126b998a9644b834df2d73cbbc63
SHA512

35985a5a26d4bc45531588c2cf6a96a0e2b21870d4c875c2973ee98a2371643e8f06a6ce19a48979b61da10fe68e7eb9302cd977fdbae55e5086c9b6992a2d29
SSDEEP

6144:v5WMqX/nZWGJMLNSH7kwmbJC/ZOnppxNhayOraWsTt6GX:BWMqvngGJMLN67kFkBOnJPayRXToG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
BthA2dp.sys

Files

BthA2dp.sys
.sys windows:10 windows x64 arch:x64

a5feab02085e09d1ba883385ea27a988

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_WDM_DRIVER
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

btha2dp.pdb

Imports

ntoskrnl.exe

EtwActivityIdControl
ExCancelTimer
ExAllocateTimer
ExSetTimer
RtlNotifyFeatureUsage
KeQuerySystemTimePrecise
IoRegisterDeviceInterface
IoSetDevicePropertyData
ZwQueryWnfStateData
KeQueryUnbiasedInterruptTime
RtlQueryFeatureConfiguration
IoSetDeviceInterfacePropertyData
IoQueueWorkItemEx
EtwWriteTransfer
KeQueryInterruptTimePrecise
IoCsqInsertIrp
IoCsqRemoveNextIrp
IoCsqInitialize
ZwOpenKey
RtlRegisterFeatureConfigurationChangeNotification
DbgPrintEx
ZwClose
IoWMIRegistrationControl
ZwQueryValueKey
MmGetSystemRoutineAddress
RtlCopyUnicodeString
RtlInitUnicodeString
RtlAppendUnicodeToString
ExFreePool
IofCompleteRequest
IofCallDriver
KeCancelTimer
KeClearEvent
IoBuildDeviceIoControlRequest
KeInitializeTimer
IoInitializeRemoveLockEx
KeInitializeDpc
IoReleaseRemoveLockEx
IoAcquireRemoveLockEx
EtwSetInformation
KeResetEvent
KeWaitForSingleObject
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
IoFreeWorkItem
IoGetDeviceInterfaces
IoGetDeviceObjectPointer
ObfDereferenceObject
IoFreeIrp
IoSetCompletionRoutineEx
IoAllocateIrp
IoReleaseRemoveLockAndWaitEx
IoCancelIrp
IoReleaseCancelSpinLock
KeQueryTimeIncrement
RtlFreeAnsiString
RtlFreeUnicodeString
RtlUnicodeStringToAnsiString
RtlInitAnsiString
KseQueryDeviceFlags
MmIsDriverVerifyingByAddress
RtlQueryRegistryValuesEx
DbgkWerCaptureLiveKernelDump
KeSetEvent
KeReleaseSpinLock
KeInitializeSpinLock
KeAcquireSpinLockRaiseToDpc
IoAllocateWorkItem
RtlQueryFeatureConfigurationChangeStamp
RtlUnregisterFeatureConfigurationChangeNotification
EtwUnregister
EtwRegister
RtlAnsiCharToUnicodeChar
KeSetTimer
memcmp

hal

KeQueryPerformanceCounter

ks.sys

KsGetNodeIdFromIrp
KsGetObjectFromFileObject
KsGenerateEvent
KsDefaultAddEventHandler
KsGetPinFromIrp
KsAddEvent
KsInitializeDriver
KsReleaseControl
KsCompletePendingRequest
KsStreamPointerAdvance
KsPinAcquireProcessingMutex
KsStreamPointerGetNextClone
KsStreamPointerClone
KsPinReleaseProcessingMutex
KsStreamPointerUnlock
KsPinGetFirstCloneStreamPointer
KsPinGetLeadingEdgeStreamPointer
KsStreamPointerSetStatusCode
KsStreamPointerAdvanceOffsets
KsGetFilterFromIrp
KsGetDevice
KsAcquireControl
KsStreamPointerDelete
KsGetDeviceForDeviceObject
KsFilterFactoryGetSymbolicLink
KsFilterFactoryUpdateCacheData
KsGetNextSibling
KsFreeObjectCreateItemsByContext
KsGetParent
KsReleaseDevice
KsFreeObjectBag
KsAllocateObjectBag
KsPinGetParentFilter
_KsEdit
KsGetFirstChild
KsPinAttemptProcessing
KsFilterFactorySetDeviceClassesState
KsAcquireDevice
KsGenerateEvents
KsCreateFilterFactory

btampm.sys

BtaMpmGetRemoteDeviceProfileVersionAndAttribute
BtaMpmUpdatePlayStatus
BtaMpmRegister
BtaMpmUnregister
BtaMpmUpdateSuspendStatus
BtaMpmUnregisterPnp
BtaMpmConnectionRequest
BtaMpmBuildIndirectStringFromMessageWithSingleUTF8Arg
BtaMpmRegisterPnp
BtaMpmUpdateConnectionStatus

wpprecorder.sys

imp_WppRecorderReplay
WppAutoLogStart
WppAutoLogTrace
WppAutoLogStop

sleepstudyhelper.sys

SleepstudyHelper_ComponentActive
SleepstudyHelper_UnregisterComponent
SleepstudyHelper_RegisterComponentEx
SleepstudyHelper_ComponentInactive
SleepstudyHelper_GenerateGuid
SleepstudyHelper_Uninitialize
SleepstudyHelper_Initialize
SleepstudyHelper_GetPdoFriendlyName

wdfldr.sys

WdfVersionUnbind
WdfVersionBind
WdfVersionUnbindClass
WdfVersionBindClass

ksecdd.sys

BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptHashData
BCryptDestroyHash
BCryptCreateHash

Sections

.text
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

NONPAGE
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 598B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GFIDS
Size: 1024B - Virtual size: 876B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a5feab02085e09d1ba883385ea27a988

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

ks.sys

btampm.sys

wpprecorder.sys

sleepstudyhelper.sys

wdfldr.sys

ksecdd.sys

Sections

.text Size: 191KB - Virtual size: 191KB

.rdata Size: 28KB - Virtual size: 28KB

.data Size: 1024B - Virtual size: 6KB

.pdata Size: 8KB - Virtual size: 7KB

.idata Size: 6KB - Virtual size: 6KB

NONPAGE Size: 512B - Virtual size: 176B

PAGE Size: 24KB - Virtual size: 23KB

INIT Size: 1024B - Virtual size: 598B

GFIDS Size: 1024B - Virtual size: 876B

.rsrc Size: 11KB - Virtual size: 10KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 191KB - Virtual size: 191KB

.rdata
Size: 28KB - Virtual size: 28KB

.data
Size: 1024B - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 7KB

.idata
Size: 6KB - Virtual size: 6KB

NONPAGE
Size: 512B - Virtual size: 176B

PAGE
Size: 24KB - Virtual size: 23KB

INIT
Size: 1024B - Virtual size: 598B

GFIDS
Size: 1024B - Virtual size: 876B

.rsrc
Size: 11KB - Virtual size: 10KB

.reloc
Size: 6KB - Virtual size: 6KB