e2573f1992575f28527087886f57ebdc11811361885b30a361faf68c0514d82f

Sharing

Copy URL Twitter E-mail

General

Target

e2573f1992575f28527087886f57ebdc11811361885b30a361faf68c0514d82f
Size

1.1MB
MD5

8684917fce0a0db9570993cbd7254d0a
SHA1

ce412e7d7036edee101cd67ea5d6f4ae147b5448
SHA256

e2573f1992575f28527087886f57ebdc11811361885b30a361faf68c0514d82f
SHA512

dae77f39adf5a9f1f4f000e35d73b827cbe0d33ca79c6db767bfb5633dacd380568ae007e10cb3af7434f3f4b2c48c58526874443b3fdd5675b9ea7d70e08789
SSDEEP

24576:wESzCqX2JRdNUrhFmCxBBeFukpzki34xkJn41Ozcn4necA:wEMYvSr3mCxBYFukpozCnE

Score

1^/10

Malware Config

Signatures

Files

e2573f1992575f28527087886f57ebdc11811361885b30a361faf68c0514d82f
.sys windows:10 windows x64 arch:x64

d8fce9bd2e29d1e56cafa4784c3401a2

Code Sign

15:0b:79:02:10:a5:7b:54:3d:58:10:30:c0:e2:f8:b2:53:25:26:aa
Certificate

Issuer

CN=Topsec TSA ROOT CA,O=Beijing Topsec Network Security Technology Co\,Ltd,ST=Beijing,C=CN

Not Before

01/05/2008, 11:03

Not After

04/04/2059, 11:03

Subject

CN=Topsec Timestamp Authority-1,O=Beijing Topsec Network Security Technology Co\,Ltd,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0b:b9:fb:8e:48:a1:35:80:e4:35:dc:e9:6f:83:f0:6d
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

24/04/2019, 00:00

Not After

27/04/2022, 12:00

Subject

CN=Topsec Inc.,O=Topsec Inc.,L=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:41

Not After

15/04/2021, 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a8:3e:2a:ad:e7:17:53:33:f1:24:62:88:54:b2:5c:c2:ee:0e:82:2e
Signer

Actual PE Digest

a8:3e:2a:ad:e7:17:53:33:f1:24:62:88:54:b2:5c:c2:ee:0e:82:2e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\TopESS\windrivers\BuildDriver\V10x64\tdcore.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
KeInitializeSpinLock
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
ExFreePoolWithTag
ExSystemTimeToLocalTime
RtlCompareMemory
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExInitializeResourceLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
KeInitializeEvent
KeSetEvent
KeInitializeSemaphore
KeReleaseSemaphore
KeWaitForMultipleObjects
KeWaitForSingleObject
KeAcquireSpinLockAtDpcLevel
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
PsCreateSystemThread
PsTerminateSystemThread
IofCompleteRequest
IoGetCurrentProcess
IoReleaseCancelSpinLock
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
ExAcquireResourceSharedLite
ZwOpenKey
ZwQueryValueKey
ZwCreateKey
ZwSetValueKey
PsIsSystemThread
RtlImageNtHeader
RtlImageDirectoryEntryToData
PsGetContextThread
PsGetThreadTeb
__C_specific_handler
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
RtlInitUnicodeString
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwFlushKey
ZwQueryKey
ZwSetSecurityObject
ZwQuerySecurityObject
RtlUnicodeStringToAnsiString
ZwCreateFile
ZwQueryInformationFile
ZwSetInformationFile
ZwWriteFile
PsGetCurrentProcessId
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoGetDeviceObjectPointer
ObQueryNameString
ObReferenceObjectByName
IoDriverObjectType
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
ExGetPreviousMode
ObOpenObjectByPointer
ZwQueryObject
ZwQueryDirectoryFile
ZwWaitForSingleObject
ZwQueryEaFile
ZwSetEaFile
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
MmBuildMdlForNonPagedPool
MmMapLockedPages
MmUnmapLockedPages
MmCreateMdl
KeLowerIrql
KfRaiseIrql
ExQueueWorkItem
PsIsThreadTerminating
PsGetCurrentThreadId
IoGetDeviceAttachmentBaseRef
IoRegisterPlugPlayNotification
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
DbgPrint
ZwAllocateVirtualMemory
KeResetEvent
KeDelayExecutionThread
RtlFreeUnicodeString
ZwQuerySystemInformation
KeQueryTimeIncrement
ZwTerminateProcess
ZwOpenProcess
ZwDuplicateObject
ZwQueryInformationProcess
ZwCreateJobObject
ZwTerminateJobObject
ZwAssignProcessToJobObject
KeNumberProcessors
RtlInitAnsiString
MmGetSystemRoutineAddress
RtlAnsiStringToUnicodeString
ExInitializePagedLookasideList
ExDeletePagedLookasideList
ProbeForRead
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
RtlEqualSid
RtlConvertSidToUnicodeString
KeStackAttachProcess
KeUnstackDetachProcess
SeQueryInformationToken
PsReferencePrimaryToken
PsDereferencePrimaryToken
PsLookupProcessByProcessId
PsLookupThreadByThreadId
ZwQueryInformationThread
PsProcessType
PsThreadType
MmMapIoSpace
MmUnmapIoSpace
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwSetInformationProcess
IoThreadToProcess
RtlQueryRegistryValues
CmUnRegisterCallback
CmRegisterCallbackEx
CmSetCallbackObjectContext
ZwCreateKeyTransacted
ZwOpenKeyTransacted
ZwEnumerateKey
ZwLoadKeyEx
TmTransactionObjectType
InitSafeBootMode
RtlLengthSecurityDescriptor
ZwLoadKey
CmKeyObjectType
RtlGetVersion
KeInitializeDpc
KeInitializeTimer
KeCancelTimer
KeSetTimer
IoBuildDeviceIoControlRequest
IofCallDriver
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoRegisterShutdownNotification
IoUnregisterShutdownNotification
ZwOpenSection
ObSetSecurityObjectByPointer
ZwCreateEvent
RtlxUnicodeStringToAnsiSize
RtlOemToUnicodeN
ZwReadFile
ZwCreateSection
ZwFlushBuffersFile
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN

Sections

.text
Size: 732KB - Virtual size: 732KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 239KB - Virtual size: 246KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d8fce9bd2e29d1e56cafa4784c3401a2

Code Sign

15:0b:79:02:10:a5:7b:54:3d:58:10:30:c0:e2:f8:b2:53:25:26:aaCertificate

Extended Key Usages

Key Usages

0b:b9:fb:8e:48:a1:35:80:e4:35:dc:e9:6f:83:f0:6dCertificate

Extended Key Usages

Key Usages

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

a8:3e:2a:ad:e7:17:53:33:f1:24:62:88:54:b2:5c:c2:ee:0e:82:2eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 732KB - Virtual size: 732KB

.rdata Size: 110KB - Virtual size: 110KB

.data Size: 239KB - Virtual size: 246KB

.pdata Size: 15KB - Virtual size: 14KB

PAGE Size: 1KB - Virtual size: 1KB

PAGE Size: 13KB - Virtual size: 13KB

INIT Size: 6KB - Virtual size: 5KB

.rsrc Size: 1024B - Virtual size: 880B

.reloc Size: 9KB - Virtual size: 8KB

15:0b:79:02:10:a5:7b:54:3d:58:10:30:c0:e2:f8:b2:53:25:26:aa
Certificate

0b:b9:fb:8e:48:a1:35:80:e4:35:dc:e9:6f:83:f0:6d
Certificate

61:1c:b2:8a:00:00:00:00:00:26
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

a8:3e:2a:ad:e7:17:53:33:f1:24:62:88:54:b2:5c:c2:ee:0e:82:2e
Signer

.text
Size: 732KB - Virtual size: 732KB

.rdata
Size: 110KB - Virtual size: 110KB

.data
Size: 239KB - Virtual size: 246KB

.pdata
Size: 15KB - Virtual size: 14KB

PAGE
Size: 1KB - Virtual size: 1KB

PAGE
Size: 13KB - Virtual size: 13KB

INIT
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1024B - Virtual size: 880B

.reloc
Size: 9KB - Virtual size: 8KB