6b291c3497dcfd1a33270aba02d8e650N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

6b291c3497dcfd1a33270aba02d8e650N.exe
Size

901KB
MD5

6b291c3497dcfd1a33270aba02d8e650
SHA1

5143dc31da8ee1ee2de75d5a51eac1684cdc5048
SHA256

cea625aeade3d53b6f201a545ce846d2e92a0953a110a83393e3253a0329bb77
SHA512

6f0aa2b04137079c6307dfff3519628ef322b5d4e15bdc2ffce6bbabbe9f1c28672cdff6654593f8a4dbb335e2b61e51f5ecfb59a0239189e3377c38278b5e65
SSDEEP

12288:w0sYCKt4l6K2mKy7rLK7YtwZQ/8MyNxkvYobphn:RsLtR1vYobph

Score

1^/10

Malware Config

Signatures

Files

6b291c3497dcfd1a33270aba02d8e650N.exe
.sys windows:10 windows x64 arch:x64

ba5905125e70d1749ac2f5f1bbb13ecf

Code Sign

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14/09/2023, 19:14

Not After

04/09/2024, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ee:af:cb:95:e4:e1:44:85:b3:96:50:32:19:96:80:d2:eb:0b:89:2d:92:31:f2:0a:84:d8:f3:01:a1:12:34:5b
Signer

Actual PE Digest

ee:af:cb:95:e4:e1:44:85:b3:96:50:32:19:96:80:d2:eb:0b:89:2d:92:31:f2:0a:84:d8:f3:01:a1:12:34:5b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\builds\DCI-DCI91-ISV_new\bin\x64\Release\bddci4.pdb

Imports

ntoskrnl.exe

IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoWMIRegistrationControl
InitSafeBootMode
_stricmp
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
MmMapLockedPagesSpecifyCache
IofCompleteRequest
IoReleaseCancelSpinLock
KeDelayExecutionThread
KeQueryActiveProcessorCount
PsCreateSystemThread
PsTerminateSystemThread
PsGetCurrentThreadId
_local_unwind
PsThreadType
ProbeForRead
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
PsGetProcessId
IoThreadToProcess
__C_specific_handler
RtlCompareMemory
PcwUnregister
PcwAddInstance
MmBuildMdlForNonPagedPool
RtlGetVersion
RtlDowncaseUnicodeChar
RtlInitUnicodeString
PsSetCreateProcessNotifyRoutineEx
KeBugCheck
KeWaitForSingleObject
KeReleaseMutex
KeInitializeMutex
_purecall
RtlCopyUnicodeString
ZwSetSecurityObject
IoDeviceObjectType
IoCreateDevice
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetSaclSecurityDescriptor
SeCaptureSecurityDescriptor
_snwprintf
RtlLengthSecurityDescriptor
SeExports
RtlCreateSecurityDescriptor
_wcsnicmp
wcschr
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedAce
RtlLengthSid
IoIsWdmVersionAvailable
RtlSetDaclSecurityDescriptor
ZwOpenKey
ZwSetValueKey
ZwQueryValueKey
ZwCreateKey
IoFileObjectType
ObQueryNameString
ObOpenObjectByPointer
PsLookupProcessByProcessId
KeUnstackDetachProcess
KeStackAttachProcess
ZwClose
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
ExReleaseSpinLockExclusive
ExAcquireSpinLockExclusive
ExReleaseSpinLockShared
ExAcquireSpinLockShared
KeSetEvent
KeResetEvent
KeBugCheckEx
KeInitializeEvent
MmGetSystemRoutineAddress
ExFreePoolWithTag
ExAllocatePoolWithTag
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
PcwRegister
RtlInitAnsiStringEx

ndis.sys

NdisFreeNetBufferListPool
NdisAllocateNetBufferListPool
NdisGetDataBuffer
NdisIfGetInterfaceIndexFromNetLuid
NdisRetreatNetBufferDataStart
NdisAdvanceNetBufferDataStart

fwpkclnt.sys

FwpsInjectionHandleDestroy0
FwpsInjectionHandleCreate0
FwpsCopyStreamDataToBuffer0
FwpsQueryPacketInjectionState0
FwpsInjectTransportReceiveAsync0
FwpsInjectTransportSendAsync0
FwpsConstructIpHeaderForTransportPacket0
FwpsStreamInjectAsync0
FwpsFreeNetBufferList0
FwpsAllocateNetBufferAndNetBufferList0
FwpsFlowRemoveContext0
FwpsFlowAssociateContext0
FwpsCalloutUnregisterById0
FwpsCalloutRegister1
FwpmBfeStateUnsubscribeChanges0
FwpmBfeStateSubscribeChanges0
FwpmBfeStateGet0

fltmgr.sys

FltReleaseFileNameInformation
FltGetFileNameInformationUnsafe

wdfldr.sys

WdfVersionBind
WdfVersionUnbind
WdfVersionBindClass
WdfVersionUnbindClass

Sections

.text
Size: 253KB - Virtual size: 253KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 577KB - Virtual size: 577KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 98B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ba5905125e70d1749ac2f5f1bbb13ecf

Code Sign

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

ee:af:cb:95:e4:e1:44:85:b3:96:50:32:19:96:80:d2:eb:0b:89:2d:92:31:f2:0a:84:d8:f3:01:a1:12:34:5bSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ndis.sys

fwpkclnt.sys

fltmgr.sys

wdfldr.sys

Sections

.text Size: 253KB - Virtual size: 253KB

PAGE Size: 9KB - Virtual size: 8KB

.rdata Size: 577KB - Virtual size: 577KB

.data Size: 19KB - Virtual size: 26KB

.pdata Size: 9KB - Virtual size: 8KB

INIT Size: 512B - Virtual size: 98B

.rsrc Size: 1024B - Virtual size: 984B

.reloc Size: 21KB - Virtual size: 20KB

33:00:00:01:09:5e:de:a2:12:7e:92:81:cc:00:00:00:00:01:09
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

ee:af:cb:95:e4:e1:44:85:b3:96:50:32:19:96:80:d2:eb:0b:89:2d:92:31:f2:0a:84:d8:f3:01:a1:12:34:5b
Signer

.text
Size: 253KB - Virtual size: 253KB

PAGE
Size: 9KB - Virtual size: 8KB

.rdata
Size: 577KB - Virtual size: 577KB

.data
Size: 19KB - Virtual size: 26KB

.pdata
Size: 9KB - Virtual size: 8KB

INIT
Size: 512B - Virtual size: 98B

.rsrc
Size: 1024B - Virtual size: 984B

.reloc
Size: 21KB - Virtual size: 20KB