6c22f9b46703dcbbc4563056aa975250bd5c7139555b80169fc9fd56fb23b0b1

Sharing

Copy URL Twitter E-mail

General

Target

6c22f9b46703dcbbc4563056aa975250bd5c7139555b80169fc9fd56fb23b0b1
Size

504KB
MD5

e3b51887bf2aedba6cf6be52b1a657de
SHA1

92575337b438627f033fd2c135762a5af1a88bf4
SHA256

6c22f9b46703dcbbc4563056aa975250bd5c7139555b80169fc9fd56fb23b0b1
SHA512

38e80b1a32bea7e51d46719eca2e75e0973389a0b30a61d34e2b1382ef92dd97b27c8b6ce65416b4982b3564b5f68440e5835ebd894f588b10d41e3c90e191c3
SSDEEP

12288:iOnjDmNlqbgyTpTo2H67VQxis3D5KefQzLmyZjJeobi7y5ugaI:iOnjDmNlqbtR4LmyZFDbi7+aI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6c22f9b46703dcbbc4563056aa975250bd5c7139555b80169fc9fd56fb23b0b1

Files

6c22f9b46703dcbbc4563056aa975250bd5c7139555b80169fc9fd56fb23b0b1
.sys windows:10 windows x64 arch:x64

cbe235b351ad775d7f374258b86a5ff7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\projects\traffic-monitor\testing\traffic-monitor\drv_lwf\x64\Release\drweblwf64.pdb

Imports

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltGetFileNameInformation
FltReleaseFileNameInformation
FltGetVolumeName
FltIsDirectory
FltAllocateContext
FltSetVolumeContext
FltSetStreamContext
FltSetStreamHandleContext
FltDeleteStreamHandleContext
FltGetVolumeContext
FltGetStreamContext
FltGetStreamHandleContext
FltReleaseContext
FltInitializePushLock
FltAcquirePushLockExclusive
FltAcquirePushLockShared
FltReleasePushLock

ndis.sys

NdisReleaseReadWriteLock
NdisOpenConfiguration
NdisReadConfiguration
NdisCloseConfiguration
NdisAllocateBufferPool
NdisAllocateBuffer
NdisAllocatePacketPool
NdisFreePacketPool
NdisFreePacket
NdisAllocatePacket
NdisUnchainBufferAtFront
NdisFreeMemory
NdisMRegisterUnloadHandler
NdisMSetAttributesEx
NdisMQueryAdapterInstanceName
NdisAcquireReadWriteLock
NdisInitializeReadWriteLock

tdi.sys

TdiDeregisterPnPHandlers
TdiMapUserRequest
TdiRegisterPnPHandlers

ntoskrnl.exe

MmMapLockedPagesSpecifyCache
KeDelayExecutionThread
RtlCopyUnicodeString
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExFreePoolWithTag
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
RtlCompareUnicodeString
RtlEqualUnicodeString
RtlCompareMemory
KeClearEvent
KeReadStateEvent
KeResetEvent
KeSetEvent
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
PsCreateSystemThread
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
PsThreadType
KeInitializeMutex
KeReleaseMutex
IofCompleteRequest
IoGetCurrentProcess
IoReleaseCancelSpinLock
RtlUpcaseUnicodeChar
KeQueryTimeIncrement
IoVolumeDeviceToDosName
KeInitializeEvent
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwQueryInformationProcess
__C_specific_handler
RtlIpv4AddressToStringExA
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
RtlIpv6AddressToStringExA
RtlInitUnicodeString
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoUnregisterShutdownNotification
KeWaitForSingleObject
RtlFreeUnicodeString
RtlStringFromGUID
MmGetSystemRoutineAddress
PsGetVersion
IoWMIRegistrationControl
IoRegisterDriverReinitialization
NtBuildNumber
PsSetCreateProcessNotifyRoutine
PsGetCurrentProcessId
InitializeSListHead
MmProbeAndLockPages
MmUnlockPages
MmUnmapLockedPages
IoAllocateMdl
IoFreeMdl
ExAllocatePoolWithTagPriority
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
RtlUpperChar
IoCheckEaBufferValidity
ObQueryNameString
ZwQueryEaFile
IoFileObjectType
RtlAppendUnicodeToString
RtlPrefixUnicodeString
MmIsAddressValid
MmSystemRangeStart
ObfReferenceObject
KeStackAttachProcess
KeUnstackDetachProcess
MmSectionObjectType
RtlAppendUnicodeStringToString
ProbeForWrite
RtlInitializeBitMap
RtlSetBits
RtlUnicodeStringToAnsiString
ZwOpenKey
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
ZwDuplicateObject
ExAllocatePoolWithTag
MmBuildMdlForNonPagedPool
IoBuildDeviceIoControlRequest
IofCallDriver
PsReferencePrimaryToken
RtlIntegerToUnicodeString
RtlInitAnsiString
RtlAnsiStringToUnicodeString
ZwSetInformationFile
ZwWriteFile
PsGetProcessId
PsInitialSystemProcess
PsSetLoadImageNotifyRoutine
ZwTerminateProcess
ZwQueryObject
ZwQueryInformationToken
ZwQuerySystemInformation
PsProcessType
RtlUnicodeStringToInteger
ZwQueryValueKey
IoCancelFileOpen
IoAttachDeviceToDeviceStack
IoGetRelatedDeviceObject
RtlUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
KeBugCheckEx
RtlQueryRegistryValues
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
IoGetDeviceObjectPointer
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateSection
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlLengthSid
RtlCopySid
RtlCreateAcl
RtlAddAccessAllowedAce
ZwSetSecurityObject
ZwQuerySection
RtlSetSaclSecurityDescriptor
MmUserProbeAddress
SeExports
ExIsProcessorFeaturePresent
RtlAppendStringToString
RtlMultiByteToUnicodeN
FsRtlDissectName

Sections

.text
Size: 122KB - Virtual size: 121KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

NONPAGED
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 218KB - Virtual size: 217KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEC
Size: 1024B - Virtual size: 560B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cbe235b351ad775d7f374258b86a5ff7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fltmgr.sys

ndis.sys

tdi.sys

ntoskrnl.exe

Sections

.text Size: 122KB - Virtual size: 121KB

NONPAGED Size: 57KB - Virtual size: 57KB

.rdata Size: 38KB - Virtual size: 38KB

.data Size: 27KB - Virtual size: 188KB

.pdata Size: 13KB - Virtual size: 13KB

PAGE Size: 218KB - Virtual size: 217KB

PAGEC Size: 1024B - Virtual size: 560B

INIT Size: 16KB - Virtual size: 16KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 122KB - Virtual size: 121KB

NONPAGED
Size: 57KB - Virtual size: 57KB

.rdata
Size: 38KB - Virtual size: 38KB

.data
Size: 27KB - Virtual size: 188KB

.pdata
Size: 13KB - Virtual size: 13KB

PAGE
Size: 218KB - Virtual size: 217KB

PAGEC
Size: 1024B - Virtual size: 560B

INIT
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB