WinRing0[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

WinRing0.sys
Size

31KB
MD5

a73ee34a7a50be60e77cc277a96d7ba8
SHA1

b3a8e39cd99feb817ce799cce193a2fbb12cbec6
SHA256

4448beff8366e42e3393e8c7f8261aee0b0340356c31aa3b97de07452ae01888
SHA512

668806257d29f73315b26540f0453bd673901c25fb3f16cba942c2dcf2006be8777573efbd831fce2bc7f0111b44b31a06c812ed9b1f59d5be0eb0c3c5c9eff2
SSDEEP

384:5olEN5FEOUdp+nYPLzX1RKtUEMUo3D5JNNzFwhhiPQ9Zh3CblImYg:54ENg4q7HHp3wh6QZ3Cb/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WinRing0.sys

Files

WinRing0.sys
.sys windows:10 windows x86 arch:x86

1f03c941f8d48d9e22ad736e741ccd29

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Code\VT\Driver\WinRing0\Release\WinRing0.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
IoCreateSymbolicLink
RtlUnwind
RtlCopyUnicodeString
KeBugCheckEx
IoCreateDevice
IofCompleteRequest
IoDeleteDevice
RtlInitUnicodeString

wdfldr.sys

WdfVersionUnbindClass
WdfVersionBind
WdfVersionUnbind
WdfVersionBindClass

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 948B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ