edevmon.pdb
Static task
static1
1 signatures
General
-
Target
85485a546fff60e423f52202f2251200N.exe
-
Size
97KB
-
MD5
85485a546fff60e423f52202f2251200
-
SHA1
e27546f406e279d85c6448f6c6de2f3f23316c15
-
SHA256
341c21511a42e5ed9ef3c5ca4dd86fb2260a5959ef13367f4758e76bfd9e04b6
-
SHA512
cc2e58a2871da9d022cf92ef0b3d59f5f0e6bdf48d1b7b05ac7e4eedc4ce86c69b663c7735acc4fa06b73dc5ac2502f1290d2890b2976fba3e1ec2d9ad8ccf03
-
SSDEEP
3072:Uf9SQCEVBm5xYomXo4ezaft0TJYknfC0b6Wa:UfwyFoQo12knfRva
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 85485a546fff60e423f52202f2251200N.exe
Files
-
85485a546fff60e423f52202f2251200N.exe.sys windows:10 windows x86 arch:x86
c2198a07ec5dcfccb67c0338378ccd7c
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
ntoskrnl.exe
PsGetCurrentProcessId
ZwClose
ZwOpenFile
RtlInitUnicodeString
KeWaitForSingleObject
ZwCreateFile
ObReferenceObjectByHandle
KeInitializeEvent
IofCallDriver
ObfDereferenceObject
KeQuerySystemTime
ExGetPreviousMode
ZwDeviceIoControlFile
_wcsnicmp
wcschr
ObQueryNameString
ZwQueryInformationProcess
PsGetVersion
KeGetCurrentThread
IoGetCurrentProcess
ObfReferenceObject
PsInitialSystemProcess
PsLookupProcessByProcessId
ObOpenObjectByPointer
SeQueryInformationToken
towlower
towupper
ZwOpenThreadToken
ZwOpenProcessToken
InterlockedPopEntrySList
InterlockedPushEntrySList
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
RtlVolumeDeviceToDosName
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
ExInitializeResourceLite
ExDeleteResourceLite
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
KeLeaveCriticalRegion
KeInitializeSemaphore
IoCsqInitialize
KeWaitForMultipleObjects
IoCsqRemoveNextIrp
KeReleaseSemaphore
IofCompleteRequest
KeSetEvent
KeResetEvent
PsProcessType
_stricmp
_wcsicmp
ZwOpenKey
ZwQueryValueKey
ZwSetValueKey
PsThreadType
ZwQueryInformationThread
PsGetThreadFreezeCount
PsIsThreadTerminating
RtlValidSid
RtlLengthSid
_purecall
KeReleaseMutex
MmMapLockedPagesSpecifyCache
ZwDuplicateObject
ZwDuplicateToken
ProbeForRead
ProbeForWrite
PsLookupThreadByThreadId
IoThreadToProcess
ExInitializePagedLookasideList
ExDeletePagedLookasideList
RtlSubAuthorityCountSid
_snwprintf_s
RtlSubAuthoritySid
SeCaptureSubjectContext
SeLockSubjectContext
SeReleaseSubjectContext
SeUnlockSubjectContext
SeTokenIsAdmin
RtlCopySid
RtlEqualSid
IoGetDeviceProperty
PsIsSystemThread
PsGetCurrentThreadId
IoGetDevicePropertyData
IoOpenDeviceRegistryKey
RtlGUIDFromString
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
KeInitializeMutex
RtlStringFromGUID
RtlQueryRegistryValues
RtlFreeUnicodeString
IoWMIRegistrationControl
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
IoGetAttachedDeviceReference
IoInitializeRemoveLockEx
IoAttachDeviceToDeviceStackSafe
IoReleaseRemoveLockAndWaitEx
IoDetachDevice
RtlEqualUnicodeString
IoFileObjectType
IoEnumerateDeviceObjectList
IoGetDeviceInterfaces
IoRegisterDeviceInterface
IoSetDeviceInterfaceState
IoBuildDeviceIoControlRequest
InitSafeBootMode
IoAllocateMdl
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
MmUnmapLockedPages
IoGetRequestorProcess
IoGetRequestorProcessId
RtlCreateAcl
RtlAddAccessAllowedAce
SeExports
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlValidSecurityDescriptor
NtSetSecurityObject
KeBugCheckEx
_allmul
RtlUnwind
ExAllocatePoolWithTag
ExFreePoolWithTag
IoCsqInsertIrp
MmGetSystemRoutineAddress
ZwSetSecurityObject
IoDeviceObjectType
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetSaclSecurityDescriptor
SeCaptureSecurityDescriptor
_snwprintf
RtlLengthSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
IoIsWdmVersionAvailable
memcpy
memset
ZwCreateKey
memmove
hal
KfAcquireSpinLock
KeGetCurrentIrql
KfReleaseSpinLock
Sections
.text Size: 39KB - Virtual size: 39KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
PAGE Size: 11KB - Virtual size: 10KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
INIT Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ