vfpext[.]sys | Triage

Sharing

Copy URL Twitter E-mail

General

Target

vfpext.sys
Size

1.4MB
MD5

68c240b5fc1f3610ced684056992f8b8
SHA1

281bb325d89b62271c76abb706b4ee05d3406cf9
SHA256

dbc1cf9ba4293ab980a697a2742857bb05379ec4e887193906a3032564e27fc8
SHA512

fb850754959bd13f36b9d36f2b9d84b8153faece34042dfcb0ff922e4df5d1ab203350de54d616daab04840456094c435c3c05264fd7b6fe2730e540285a2b9f
SSDEEP

24576:e11jqPFVTrEBkkPr4zro0nLB9Pm326bIt:xEoro0LBBm32P

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
vfpext.sys

Files

vfpext.sys
.sys windows:10 windows x64 arch:x64

df9910ef724372310b33098013728404

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

vfpext.pdb

Imports

ntoskrnl.exe

ExpInterlockedPopEntrySList
ExInitializeNPagedLookasideList
KeQueryActiveProcessorCountEx
KeSetTimer
KeInsertQueueDpc
KeGetCurrentProcessorNumberEx
IoReleaseRemoveLockEx
IoReleaseRemoveLockAndWaitEx
ExpInterlockedPushEntrySList
ExQueryDepthSList
IoAcquireRemoveLockEx
KeFlushQueuedDpcs
PcwRegister
KeBugCheckEx
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
MmBuildMdlForNonPagedPool
IoReleaseCancelSpinLock
DbgPrintEx
KeExpandKernelStackAndCalloutEx
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ZwCreateFile
ZwQueryInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoGetDeviceObjectPointer
IoBuildDeviceIoControlRequest
IofCallDriver
KeWaitForSingleObject
ObfDereferenceObject
KeInitializeTimerEx
KeGetProcessorNumberFromIndex
KeSetTargetProcessorDpcEx
strncmp
ExDeleteNPagedLookasideList
KeQuerySystemTimePrecise
wcsncmp
KeSetImportanceDpc
KeSetTimerEx
strnlen
KeQueryInterruptTimePrecise
qsort
RtlRbInsertNodeEx
RtlInitializeBitMap
RtlFindClearBitsAndSet
RtlClearBits
KeSetEvent
PsAttachSiloToCurrentThread
PsGetHostSilo
PsDetachSiloFromCurrentThread
HviGetHardwareFeatures
HviIsHypervisorVendorMicrosoft
HviGetHypervisorFeatures
ExWaitForRundownProtectionReleaseCacheAware
KeInitializeMutex
KeReleaseMutex
ExAcquireRundownProtectionCacheAware
ExAllocateCacheAwareRundownProtection
ExReleaseRundownProtectionCacheAware
ExReInitializeRundownProtectionCacheAware
ExFreeCacheAwareRundownProtection
KeCancelTimer
KeInitializeTimer
KeInitializeDpc
EtwUnregister
EtwRegister
MmGetSystemRoutineAddress
RtlQueryRegistryValues
RtlUnregisterFeatureConfigurationChangeNotification
RtlRegisterFeatureConfigurationChangeNotification
RtlQueryFeatureConfiguration
RtlQueryFeatureConfigurationChangeStamp
KeLowerIrql
KfRaiseIrql
EtwWriteTransfer
RtlIpv6AddressToStringA
RtlIpv4AddressToStringA
IofCompleteRequest
IoInitializeRemoveLockEx
RtlGUIDFromString
KeInitializeSpinLock
KeInitializeEvent
RtlEqualUnicodeString
_wcsnicmp
IoGetRequestorProcessId
MmMapLockedPagesSpecifyCache
wcscpy_s
strcpy_s
_vsnprintf
RtlCompareMemory
ExFreePoolWithTag
ExAllocatePoolWithTag
RtlInitUnicodeString
PcwUnregister
PcwAddInstance
__C_specific_handler
bsearch_s
RtlTimeFieldsToTime
atoi
isdigit
__chkstk

ndis.sys

NdisFIndicateReceiveNetBufferLists
NdisFSendNetBufferLists
NdisFReturnNetBufferLists
NdisFSendNetBufferListsComplete
NdisFOidRequestComplete
NdisFreeCloneOidRequest
NdisFOidRequest
NdisAllocateCloneOidRequest
NdisConvertNtStatusToNdisStatus
NdisFreeMemoryWithTagPriority
NdisAllocateIoWorkItem
NdisResetEvent
NdisMSleep
NdisFreeCloneNetBufferList
NdisAllocateCloneNetBufferList
NdisFreeNetBufferListContext
NdisAllocateNetBufferListContext
NdisAdvanceNetBufferListDataStart
NdisRetreatNetBufferListDataStart
NdisAllocateNetBufferMdlAndData
NdisRetreatNetBufferDataStart
NdisAdvanceNetBufferDataStart
NdisAllocateNetBufferAndNetBufferList
NdisFIndicateStatus
NdisFreeRWLock
NdisInitializeEvent
NdisAllocateRWLock
NdisFreeMdl
NdisFreeNetBuffer
NdisCopyFromNetBufferToNetBuffer
NdisAllocateNetBuffer
NdisAllocateMdl
NdisFreeNetBufferList
NdisAllocateNetBufferList
NdisWaitEvent
NdisSetEvent
NdisQueueIoWorkItem
NdisFNetPnPEvent
NdisAllocateMemoryWithTag
NdisFreeMemoryWithTag
NdisEnumerateFilterModules
NdisFGetOptionalSwitchHandlers
NdisDeregisterDeviceEx
NdisRegisterDeviceEx
NdisFDirectOidRequest
NdisFDirectOidRequestComplete
NdisAllocateMemoryWithTagPriority
NdisFreeMemory
NdisFreeIoWorkItem
NdisAcquireRWLockRead
NdisReleaseRWLock
NdisGetDataBuffer
NdisWriteEventLogEntry
NdisFRegisterFilterDriver
NdisGetVersion
NdisAllocateNetBufferPool
NdisAllocateNetBufferListPool
NdisFreeNetBufferPool
NdisFreeNetBufferListPool
NdisAcquireRWLockWrite
NdisFDeregisterFilterDriver
NdisFSetAttributes

cng.sys

SystemPrng

netio.sys

RtlInitializeToeplitzHash
RtlCleanupToeplitzHash
RtlCopyMdlToBuffer
RtlComputeToeplitzHash
NsiDeregisterChangeNotification
NsiRegisterChangeNotificationEx
NsiGetParameter
NsiGetAllParameters
NmrDeregisterClient
NmrClientAttachProvider
NmrWaitForClientDeregisterComplete
NmrRegisterClient

hal

KeStallExecutionProcessor

ksecdd.sys

DeleteSecurityContext
AcceptSecurityContext
FreeContextBuffer
UnsealMessage
AcquireCredentialsHandleW
SetCredentialsAttributesW
QueryContextAttributesW
SecSetPagingMode
SealMessage
InitializeSecurityContextW

Sections

.text
Size: 916KB - Virtual size: 915KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECONS
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGEDATA
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 512B - Virtual size: 426B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GFIDS
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 404KB - Virtual size: 403KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

df9910ef724372310b33098013728404

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ndis.sys

cng.sys

netio.sys

hal

ksecdd.sys

Sections

.text Size: 916KB - Virtual size: 915KB

.rdata Size: 57KB - Virtual size: 56KB

.data Size: 12KB - Virtual size: 45KB

.pdata Size: 26KB - Virtual size: 26KB

.idata Size: 8KB - Virtual size: 7KB

PAGE Size: 12KB - Virtual size: 11KB

PAGECONS Size: 12KB - Virtual size: 12KB

PAGEDATA Size: 3KB - Virtual size: 2KB

INIT Size: 512B - Virtual size: 426B

GFIDS Size: 2KB - Virtual size: 2KB

.rsrc Size: 404KB - Virtual size: 403KB

.reloc Size: 15KB - Virtual size: 14KB

.text
Size: 916KB - Virtual size: 915KB

.rdata
Size: 57KB - Virtual size: 56KB

.data
Size: 12KB - Virtual size: 45KB

.pdata
Size: 26KB - Virtual size: 26KB

.idata
Size: 8KB - Virtual size: 7KB

PAGE
Size: 12KB - Virtual size: 11KB

PAGECONS
Size: 12KB - Virtual size: 12KB

PAGEDATA
Size: 3KB - Virtual size: 2KB

INIT
Size: 512B - Virtual size: 426B

GFIDS
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 404KB - Virtual size: 403KB

.reloc
Size: 15KB - Virtual size: 14KB