HoYoKProtect[.]sys

Sharing

Copy URL

Twitter E-mail

General

Target

HoYoKProtect.sys
Size

3.6MB
MD5

6a478e88570736cc987fc21a41cf044e
SHA1

26b84c7aac5a906344f9b9597a5e977770a99ff4
SHA256

72c79f01e2bacb2fcee014892e77d0064d084cfa66d4ff903ebc69399db2bf56
SHA512

d93456203af024f93891c71d8716ed16bd0c3a60338cb35ccf182d82be76890e5c7df2ebc80ee4a865b81a965bbc6ae26f0406773c415f77d8e8254664359049
SSDEEP

98304:NTSgt4t1bbLERWBWS3QRTEAT4qhTDdFD/GeV:ebbYIgKQRTlNRV

Score

1^/10

Malware Config

Signatures

Files

HoYoKProtect.sys
.sys windows:10 windows x64 arch:x64

da3b39119ff2c2a6a1d81b099504660b

Code Sign

33:00:00:00:69:9d:42:c9:76:75:b5:08:82:00:00:00:00:00:69
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-01-2024 20:09

Not After

10-01-2025 20:09

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:64:d7:d3:53:a5:4a:5f:9e:6b:39:05:00:10:e8:29:41:79:9a:63:96:48:35:00:61:be:dd:9f:a6:83:4b:1f
Signer

Actual PE Digest

08:64:d7:d3:53:a5:4a:5f:9e:6b:39:05:00:10:e8:29:41:79:9a:63:96:48:35:00:61:be:dd:9f:a6:83:4b:1f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInitUnicodeString
KeDelayExecutionThread
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
ExEventObjectType
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetCurrentProcess
ExInitializeResourceLite
ExDeleteResourceLite
MmUnlockPages
MmUnmapLockedPages
IoFreeMdl
KeAreApcsDisabled
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExGetPreviousMode
__C_specific_handler
ProbeForRead
MmProbeAndLockPages
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateMdl
ObfReferenceObject
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
RtlInitString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlInitAnsiString
RtlEqualUnicodeString
NtClose
RtlCompareUnicodeString
MmGetSystemRoutineAddress
KeClearEvent
MmBuildMdlForNonPagedPool
ExCreateCallback
ExRegisterCallback
ExUnregisterCallback
KdDebuggerNotPresent
KeSetPriorityThread
IofCompleteRequest
IoRegisterPlugPlayNotification
ExSystemTimeToLocalTime
ZwCreateFile
RtlCompareMemory
KeQueryTimeIncrement
ZwOpenKey
ZwDeleteValueKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
IoFileObjectType
KeSetEvent
ExReleaseFastMutex
ZwCreateSection
PsGetCurrentProcessId
MmIsAddressValid
PsGetCurrentThreadId
PsGetProcessId
MmUserProbeAddress
PsGetVersion
ExEnterCriticalRegionAndAcquireResourceShared
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
IoThreadToProcess
PsGetThreadId
ExAcquireFastMutex
KeUnstackDetachProcess
PsLookupProcessByProcessId
PsLookupThreadByThreadId
ZwQueryVirtualMemory
MmHighestUserAddress
InitializeSListHead
RtlEnumerateGenericTableAvl
ZwQuerySystemInformation
ObQueryNameString
ZwQueryObject
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
ObGetObjectType
ExEnumHandleTable
ExfUnblockPushLock
PsAcquireProcessExitSynchronization
PsReleaseProcessExitSynchronization
NtQueryInformationProcess
ZwQueryInformationProcess
PsProcessType
PsThreadType
PsInitialSystemProcess
PsGetProcessWow64Process
PsGetProcessPeb
KeAreAllApcsDisabled
PsGetProcessExitStatus
IoVolumeDeviceToDosName
ZwTerminateProcess
IoQueryFileDosDeviceName
ObOpenObjectByPointer
ZwWaitForSingleObject
PsGetProcessImageFileName
PsReferenceProcessFilePointer
PsGetProcessInheritedFromUniqueProcessId
ZwSetInformationProcess
PsIsThreadTerminating
ZwQueryInformationThread
ExInitializeRundownProtection
ExAcquireRundownProtection
ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetThreadProcess
PsGetProcessSectionBaseAddress
ZwOpenThread
KdDebuggerEnabled
ObRegisterCallbacks
ObUnRegisterCallbacks
ObGetFilterVersion
KeQueryPrcbAddress
KeGenericCallDpc
KeSignalCallDpcDone
KeSignalCallDpcSynchronize
IoUnregisterPlugPlayNotificationEx
ObReferenceObjectByName
RtlPcToFileHeader
IoDriverObjectType
MmGetVirtualForPhysical
RtlImageNtHeader
ZwOpenFile
KeAcquireQueuedSpinLock
KeReleaseQueuedSpinLock
IoEnumerateDeviceObjectList
MmSystemRangeStart
ZwOpenProcess
RtlConvertSidToUnicodeString
SeQueryInformationToken
PsReferencePrimaryToken
PsDereferencePrimaryToken
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
KeWaitForSingleObject
KeReleaseMutex
KeInitializeMutex
KeBugCheckEx
KeInitializeEvent
ExFreePoolWithTag
KeStackAttachProcess
ExAllocatePoolWithTag

hal

KeStallExecutionProcessor

wdfldr.sys

WdfVersionBindClass
WdfVersionBind
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 226KB - Virtual size: 225KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.upx0
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 744B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

da3b39119ff2c2a6a1d81b099504660b

Code Sign

33:00:00:00:69:9d:42:c9:76:75:b5:08:82:00:00:00:00:00:69Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

08:64:d7:d3:53:a5:4a:5f:9e:6b:39:05:00:10:e8:29:41:79:9a:63:96:48:35:00:61:be:dd:9f:a6:83:4b:1fSigner

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

wdfldr.sys

Sections

.text Size: 226KB - Virtual size: 225KB

.rdata Size: 27KB - Virtual size: 27KB

.data Size: 1024B - Virtual size: 12KB

.pdata Size: 14KB - Virtual size: 14KB

INIT Size: 10KB - Virtual size: 9KB

.upx0 Size: 3.3MB - Virtual size: 3.3MB

.reloc Size: 512B - Virtual size: 220B

.rsrc Size: 1024B - Virtual size: 744B

33:00:00:00:69:9d:42:c9:76:75:b5:08:82:00:00:00:00:00:69
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

08:64:d7:d3:53:a5:4a:5f:9e:6b:39:05:00:10:e8:29:41:79:9a:63:96:48:35:00:61:be:dd:9f:a6:83:4b:1f
Signer

.text
Size: 226KB - Virtual size: 225KB

.rdata
Size: 27KB - Virtual size: 27KB

.data
Size: 1024B - Virtual size: 12KB

.pdata
Size: 14KB - Virtual size: 14KB

INIT
Size: 10KB - Virtual size: 9KB

.upx0
Size: 3.3MB - Virtual size: 3.3MB

.reloc
Size: 512B - Virtual size: 220B

.rsrc
Size: 1024B - Virtual size: 744B