drvinst[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

drvinst.exe
Size

339KB
MD5

0d5db4c56e9b065bee56b19003beacbf
SHA1

a992b91a4d8d53e2d504053cc27364760526944e
SHA256

d95148de85988fe239a332b0457d7294a0c5eb38ed1343c4b474d1deb74a8425
SHA512

dd232304a07d4eebd33e221efd3d4f4fcb6d7f6623b9a6ecd41d1c013a19fb67db4b45ca956139b6c96991f8b7cd24dd63d7d67dbe16e808de818a2049d5e501
SSDEEP

6144:uE9uq0kx2Tko6peu/OpMcIG1aIhibuOdVApf+ugBeTlNfu:30k4Tu/Op9V1aAibuOPCgBeJNm

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
drvinst.exe

Files

drvinst.exe
.exe windows:10 windows x64 arch:x64

add23ddcd66d6aa9252b74b87aef73c4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

drvinst.pdb

Imports

msvcrt

_lock
_resetstkoflw
?terminate@@YAXXZ
_wcslwr
wcsrchr
_commode
_vsnwprintf
_purecall
_onexit
memmove
wcsstr
memcpy
memcmp
_fmode
_initterm
__setusermatherr
_unlock
wcsncmp
__dllonexit
_cexit
strncmp
_wcsnicmp
_exit
exit
__set_app_type
__wgetmainargs
qsort
_amsg_exit
wcschr
_XcptFilter
swscanf
toupper
__C_specific_handler
_wcsicmp
_vsnprintf
memcpy_s
??3@YAXPEAX@Z
memmove_s
memset

ntdll

RtlGUIDFromString
RtlRandomEx
RtlPrefixUnicodeString
EtwEventSetInformation
NtFlushBuffersFileEx
NtSetInformationFile
NtQueryInformationFile
RtlGetVersion
RtlNtStatusToDosErrorNoTeb
RtlUpcaseUnicodeChar
NtDeleteValueKey
NtSetValueKey
NtQueryValueKey
NtQueryKey
NtCreateKey
NtOpenKey
RtlInitUnicodeString
NtClose
RtlFreeUnicodeString
RtlFormatCurrentUserKeyPath
RtlUpcaseUnicodeString
RtlInitUnicodeStringEx
ZwQueryValueKey
ZwOpenKey
ZwQuerySystemInformation
ZwClose
RtlFreeHeap
RtlReAllocateHeap
RtlAllocateHeap
RtlAppendUnicodeToString
EtwEventWriteTransfer
RtlAppendUnicodeStringToString
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlDosPathNameToNtPathName_U_WithStatus
ZwOpenFile
ZwEnumerateKey
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwQueryDirectoryFile
RtlpEnsureBufferSize
RtlNtPathNameToDosPathName
RtlGetNativeSystemInformation
RtlInitString
RtlxAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
LdrResSearchResource
VerSetConditionMask
RtlVerifyVersionInfo
RtlImageDirectoryEntryToData
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtQuerySystemInformation
EtwEventRegister
EtwEventUnregister
RtlNtStatusToDosError
NtQueryInformationProcess
DbgPrintEx
NtSystemDebugControl

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler

api-ms-win-devices-config-l1-1-1

CM_MapCrToWin32Err
CM_Get_DevNode_PropertyW
CM_Set_DevNode_Registry_PropertyW
CM_Get_Child
CM_Get_Device_IDW
CM_Get_DevNode_Registry_PropertyW
CM_Setup_DevNode
CM_Open_DevNode_Key
CM_Get_Sibling
CM_Locate_DevNodeW
CM_Set_DevNode_PropertyW
CM_Get_DevNode_Status
CM_Get_Class_PropertyW

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
SetLastError
RaiseException
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineA
GetCommandLineW

api-ms-win-core-processthreads-l1-1-0

ExitProcess
GetCurrentThreadId
GetExitCodeThread
GetCurrentProcessId
OpenProcessToken
GetCurrentProcess
TerminateProcess
CreateThread

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
ReleaseSRWLockExclusive
SetEvent
CreateSemaphoreExW
WaitForSingleObjectEx
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseSemaphore
CreateMutexW
OpenSemaphoreW
CreateMutexExW
DeleteCriticalSection
SleepEx
WaitForSingleObject
ReleaseMutex
CreateEventW
WaitForMultipleObjectsEx
InitializeCriticalSectionEx
EnterCriticalSection

api-ms-win-core-memory-l1-1-0

MapViewOfFile
UnmapViewOfFile
CreateFileMappingW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetWindowsDirectoryW
GetTickCount64
GetSystemTime
GetSystemDirectoryW
GetLocalTime
GetTickCount
GetSystemWindowsDirectoryW

api-ms-win-core-heap-l1-1-0

HeapSetInformation
GetProcessHeap
HeapFree
HeapAlloc
HeapReAlloc

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetProcAddress
GetModuleHandleExW
LoadResource
FreeLibrary
LoadLibraryExW
LockResource
GetModuleFileNameA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-security-base-l1-1-0

DuplicateTokenEx
IsValidSid
CheckTokenMembership
AllocateAndInitializeSid
GetLengthSid
AddAccessAllowedAceEx
InitializeAcl
InitializeSecurityDescriptor
GetTokenInformation
SetSecurityDescriptorDacl
FreeSid

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegEnumValueW
RegFlushKey
RegCreateKeyExW
RegDeleteTreeW
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-core-file-l1-1-0

SetFilePointer
GetFileSize
SetEndOfFile
CreateFileW
FindClose
GetFullPathNameW
GetFileAttributesW
CreateDirectoryW
WriteFile
GetTempFileNameW
FileTimeToLocalFileTime
FindNextFileW
GetFileAttributesExW
SetFileAttributesW
FindFirstFileW
FlushFileBuffers
GetFileInformationByHandle
DeleteFileW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetThreadLocale
LCMapStringW

api-ms-win-core-file-l2-1-0

MoveFileExW
CopyFileExW
CreateHardLinkW

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW
SetSecurityInfo

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-windowserrorreporting-l1-1-0

WerRegisterFile

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventProviderEnabled
EventSetInformation
EventWriteTransfer

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer

Sections

.text
Size: 240KB - Virtual size: 240KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

add23ddcd66d6aa9252b74b87aef73c4

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-console-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-provider-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-windowserrorreporting-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-threadpool-l1-2-0

Sections

.text Size: 240KB - Virtual size: 240KB

.rdata Size: 85KB - Virtual size: 84KB

.data Size: 1KB - Virtual size: 4KB

.pdata Size: 8KB - Virtual size: 7KB

.didat Size: 1024B - Virtual size: 776B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 512B

.text
Size: 240KB - Virtual size: 240KB

.rdata
Size: 85KB - Virtual size: 84KB

.data
Size: 1KB - Virtual size: 4KB

.pdata
Size: 8KB - Virtual size: 7KB

.didat
Size: 1024B - Virtual size: 776B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 512B