c13c130[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

c13c130.sys
Size

190KB
MD5

383e7828badd3eda837777722cab025a
SHA1

4710e67d50a4da9680f548be0e5b131e2d6a1d20
SHA256

73bee68a2930f1da633987957887af943f5d6113d3b0f3319570da4cf32b7ded
SHA512

e69513e51aea6d8dfa1412f3cf3ec297ed1d33d7a40b4383228eaec208059f2280a63cf7d96b86d6328df1409b0e1119f0a13a7b2003f26053106ae67693e018
SSDEEP

3072:3WZ+7sOldXjOnjDmNlq6kgyTpTo2H67VQxisBo6TwqX7OhPAzkqRh5FLHb9FOStO:pOnjDmNlqbgyTpTo2H67VQxisBoYwa3a

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c13c130.sys

Files

c13c130.sys
.sys windows:10 windows x64 arch:x64

443fcbb7deaf3710d89f0fe200b9905a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\pjm\BuildDir\drweb-shield-next\checkout\drweb-shield-next\build_output\all\x64\Release\shin64.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ExFreePoolWithTag
KeWaitForSingleObject
__C_specific_handler
RtlGetVersion
ProbeForRead
ProbeForWrite
MmMapLockedPagesSpecifyCache
IofCompleteRequest
MmSystemRangeStart
RtlCompareMemory
KeInitializeEvent
MmBuildMdlForNonPagedPool
IoInitializeIrp
MmIsAddressValid
IoFileObjectType
PsInitialSystemProcess
KeSetEvent
MmUnlockPages
IoAllocateIrp
IofCallDriver
IoFreeIrp
IoFreeMdl
ObfReferenceObject
ObfDereferenceObject
MmSectionObjectType
NtBuildNumber
ZwClose
ZwOpenEvent
RtlIntegerToUnicodeString
RtlEqualUnicodeString
ExQueueWorkItem
ExAcquireRundownProtection
ExReleaseRundownProtection
MmProbeAndLockPages
MmMapIoSpace
MmUnmapIoSpace
IoAllocateMdl
IoCreateDevice
IoCreateFile
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetAttachedDeviceReference
IoGetCurrentProcess
IoGetRelatedDeviceObject
IoRegisterLastChanceShutdownNotification
RtlUpcaseUnicodeChar
ObReferenceObjectByHandle
ObCloseHandle
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwSetInformationFile
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwCreateKey
ZwOpenKey
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlEqualString
PsGetCurrentProcessId
IoCreateFileSpecifyDeviceObjectHint
ZwTerminateProcess
ZwOpenProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
IoGetBaseFileSystemDeviceObject
IoGetLowerDeviceObject
ObOpenObjectByPointer
ObQueryNameString
ZwQueryObject
ZwDuplicateObject
ZwOpenProcessTokenEx
ZwQuerySystemInformation
ZwAdjustPrivilegesToken
ZwOpenThread
ZwQueryInformationProcess
ZwQueryInformationThread
PsProcessType
KeBugCheckEx
ExIsProcessorFeaturePresent
RtlAnsiStringToUnicodeString
IoUnregisterShutdownNotification
_stricmp
RtlInitUnicodeString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlFreeUnicodeString
ZwOpenSection
RtlPrefixUnicodeString
PsReferencePrimaryToken
ZwQuerySection
MmUserProbeAddress
strchr
RtlInitString
RtlAppendStringToString
mbstowcs
RtlInitAnsiString

hal

HalGetBusDataByOffset
HalSetBusDataByOffset

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

NONPAGED
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

443fcbb7deaf3710d89f0fe200b9905a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 75KB - Virtual size: 75KB

NONPAGED Size: 3KB - Virtual size: 2KB

.rdata Size: 7KB - Virtual size: 7KB

.data Size: 3KB - Virtual size: 3KB

.pdata Size: 4KB - Virtual size: 3KB

PAGE Size: 59KB - Virtual size: 58KB

INIT Size: 5KB - Virtual size: 4KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 75KB - Virtual size: 75KB

NONPAGED
Size: 3KB - Virtual size: 2KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 3KB - Virtual size: 3KB

.pdata
Size: 4KB - Virtual size: 3KB

PAGE
Size: 59KB - Virtual size: 58KB

INIT
Size: 5KB - Virtual size: 4KB

.reloc
Size: 1KB - Virtual size: 1KB