BrRamdisk64[.]sys

Sharing

Copy URL Twitter E-mail

General

Target

BrRamdisk64.sys
Size

64KB
MD5

43c4960d39661497e07f00278b737086
SHA1

97deab705e43c78b409def23033b4ab3e1181b89
SHA256

661f8261c83a79aa64caf33fbde52c0b1d4665a03d017f6a7aeca56ee2c23792
SHA512

ea6169f11f3fd218acc78990e417a885564e36cb27db9a6c37f843ca31738dd0d475a64396a0093c2209ded84e47212d235c56eae4e2b10b4e0fdfb6b254e9da
SSDEEP

1536:DuBTYbNZ7Z+u6BEQdcuNyk9hjENi7zNFjqphM/0QtE+N:6gNZ7Z+u6BxNyAGw/0oN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
BrRamdisk64.sys

Files

BrRamdisk64.sys
.sys windows:10 windows x64 arch:x64

5723e24bcfa9b111954841a7a9a8f064

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Output\YIMA\Drivers\BrRamdisk\BrRamdisk64.pdb

Imports

ntoskrnl.exe

ZwClose
ZwDeviceIoControlFile
wcsrchr
_wcsicmp
RtlCompareUnicodeString
RtlCopyUnicodeString
ExAllocatePoolWithTag
ExFreePoolWithTag
MmGetSystemRoutineAddress
ObfDereferenceObject
ZwCreateFile
ZwOpenKey
ZwQueryValueKey
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
PsSetCreateProcessNotifyRoutine
RtlQueryRegistryValues
RtlAppendUnicodeStringToString
KeInitializeEvent
ZwOpenFile
KeDelayExecutionThread
KeSetPriorityThread
KeWaitForSingleObject
ExAllocatePool
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
PsCreateSystemThread
PsTerminateSystemThread
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwFsControlFile
KeBugCheckEx
ObReferenceObjectByHandle
RtlInitUnicodeString
DbgPrint
KeSetEvent
RtlAssert

wdfldr.sys

WdfVersionBind
WdfVersionUnbind
WdfVersionUnbindClass
WdfVersionBindClass

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5723e24bcfa9b111954841a7a9a8f064

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

wdfldr.sys

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 4KB

.pdata Size: 1KB - Virtual size: 1KB

PAGE Size: 6KB - Virtual size: 5KB

INIT Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 48B

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 4KB

.pdata
Size: 1KB - Virtual size: 1KB

PAGE
Size: 6KB - Virtual size: 5KB

INIT
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 48B