84c18e7951bd3bc6c13ff382896818d4578335f1139b55a1fbe98feb0a4161aaN

Sharing

Copy URL Twitter E-mail

General

Target

84c18e7951bd3bc6c13ff382896818d4578335f1139b55a1fbe98feb0a4161aaN
Size

187KB
MD5

67e5af82ea021fe574a981f484fb0b20
SHA1

1bc7530cf62e4d8e7f7e93ecee72118036451f7d
SHA256

84c18e7951bd3bc6c13ff382896818d4578335f1139b55a1fbe98feb0a4161aa
SHA512

03e684ad52db669bbab4964b28ce8f74f67e9549742df87468ce44b2c8cfc9d621724a8d6b9193c38ac212ef607620710dd77c62c8b3dd226de8c46db3d055b0
SSDEEP

3072:17p4ory4HW+INodtIFsZ6vOnvZAMuvJ6AKE891sUCd2wBvZirHmU45CWYDYWn5Pt:NHW+IKDn6eluh6AKh1fM2GZ8t48cWn5F

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/nfssvr.sys

Files

84c18e7951bd3bc6c13ff382896818d4578335f1139b55a1fbe98feb0a4161aaN
.cab
nfssvr.sys
.sys windows:5 windows x86 arch:x86

1ef8be1287219803d0f11a88ccd69651

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

nfssvr.pdb

Imports

ntoskrnl.exe

RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlCopyUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlxAnsiStringToUnicodeSize
NlsMbOemCodePageTag
KeReleaseMutex
KeWaitForSingleObject
RtlWriteRegistryValue
RtlInitUnicodeString
RtlQueryRegistryValues
DbgPrint
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
memmove
RtlIntegerToUnicodeString
KeDelayExecutionThread
KeGetCurrentThread
ZwCreateFile
ZwWaitForSingleObject
NtSetInformationFile
NtOpenFile
ZwWriteFile
ZwSetInformationFile
ZwClose
NtReadFile
KeSetEvent
PsTerminateSystemThread
PsCreateSystemThread
KeInitializeEvent
KeInitializeMutex
_allmul
InterlockedPopEntrySList
InterlockedPushEntrySList
ExGetPreviousMode
ExReleaseResourceForThreadLite
ExAcquireResourceSharedLite
NtUnlockFile
IoCreateFile
NtLockFile
IoSetThreadHardErrorMode
ExDeleteResourceLite
ExInitializeResourceLite
ExAcquireResourceExclusiveLite
RtlFreeAnsiString
toupper
RtlxUnicodeStringToAnsiSize
ZwDeleteKey
ZwEnumerateKey
RtlFreeUnicodeString
ZwOpenKey
RtlCompareUnicodeString
KeResetEvent
WmiQueryTraceInformation
IoWMIRegistrationControl
IofCompleteRequest
KeReleaseSemaphore
IoDeleteDevice
ObfDereferenceObject
IoDeleteSymbolicLink
ExDeleteNPagedLookasideList
ExDeletePagedLookasideList
KeLeaveCriticalRegion
KeEnterCriticalRegion
IoCreateSymbolicLink
KeWaitForMultipleObjects
RtlTimeToSecondsSince1970
MmQuerySystemSize
RtlLengthRequiredSid
IoGetCurrentProcess
ExInitializePagedLookasideList
ExInitializeNPagedLookasideList
KeInitializeSemaphore
KeInitializeSpinLock
wcsncpy
wcsrchr
RtlEqualUnicodeString
RtlCopySid
_aulldiv
IoGetRelatedDeviceObject
_except_handler3
ZwOpenFile
ObReferenceObjectByHandle
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
NtQuerySecurityObject
ExConvertExclusiveToSharedLite
RtlLengthSid
KeSetBasePriorityThread
RtlEqualSid
SeSinglePrivilegeCheck
RtlMapGenericMask
ZwQueryInformationFile
ExQueueWorkItem
KeUnstackDetachProcess
RtlFreeHeap
KeStackAttachProcess
IoGetTopLevelIrp
IoFreeWorkItem
IoQueueWorkItem
IoAllocateWorkItem
RtlUpcaseUnicodeStringToAnsiString
RtlDowncaseUnicodeString
RtlUpcaseUnicodeString
KeQuerySystemTime
ZwQueryValueKey
RtlInitCodePageTable
ZwReadFile
RtlCustomCPToUnicodeN
RtlUnicodeToCustomCPN
ZwFreeVirtualMemory
RtlDestroyHeap
RtlCreateRegistryKey
RtlCheckRegistryKey
strncmp
RtlCopyString
NtSetSecurityObject
RtlCompareMemory
NtQueryInformationToken
RtlSubAuthoritySid
RtlInitializeSid
_aulldvrm
_wcsnicmp
RtlAbsoluteToSelfRelativeSD
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
SeDeassignSecurity
SeReleaseSubjectContext
SeUnlockSubjectContext
SeAssignSecurityEx
IoGetFileObjectGenericMapping
SeLockSubjectContext
SeCaptureSubjectContext
RtlValidSid
SePrivilegeCheck
SeExports
SeAccessCheck
RtlPrefixUnicodeString
ExLocalTimeToSystemTime
RtlTimeFieldsToTime
RtlCharToInteger
RtlAddAce
RtlCreateAcl
ZwQueryVolumeInformationFile
RtlAddAccessAllowedAce
LsaDeregisterLogonProcess
LsaFreeReturnBuffer
NtFreeVirtualMemory
LsaLogonUser
NtAllocateVirtualMemory
NtSetInformationThread
NtAdjustPrivilegesToken
NtOpenProcessToken
NtDuplicateToken
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
NtAllocateLocallyUniqueId
RtlInitString
IoFreeIrp
IoFreeMdl
IofCallDriver
MmProbeAndLockPages
IoAllocateMdl
IoAllocateIrp
MmUnlockPages
MmProbeAndLockProcessPages
MmBuildMdlForNonPagedPool
RtlAllocateHeap
ExRaiseStatus
ZwAllocateVirtualMemory
NtSetInformationProcess
NtQueryInformationProcess
NtQuerySystemInformation
NtWaitForSingleObject
NtQueryDirectoryFile
NtCreateEvent
ZwOpenEvent
ZwTerminateProcess
ObOpenObjectByPointer
RtlCreateHeap
NtFsControlFile
MmProbeAndLockSelectedPages
NtDeviceIoControlFile
_snprintf
RtlEqualString
KeTickCount
KeBugCheckEx
ExSystemTimeToLocalTime
RtlTimeToTimeFields
RtlUnicodeStringToAnsiString
NtWriteFile
ExAllocatePoolWithTag
ZwSetValueKey
ZwCreateKey
wcschr
IoIsWdmVersionAvailable
SeCaptureSecurityDescriptor
_snwprintf
RtlGetSaclSecurityDescriptor
IoCreateDevice
IoDeviceObjectType
ZwSetSecurityObject
MmGetSystemRoutineAddress
memset
memcpy
RtlRandom
ZwQueryDefaultLocale
NtQueryEaFile
ExFreePoolWithTag
NtQueryInformationFile
NtQueryVolumeInformationFile
RtlExtendedIntegerMultiply
NtClose
NtCreateFile
wcslen
wcscpy
ZwConnectPort
ZwRequestWaitReplyPort
ZwOpenProcess
NtSetEaFile
WmiTraceMessage

hal

ExReleaseFastMutex
ExAcquireFastMutex
KeGetCurrentIrql

rpcxdr.sys

SunRpcBuildReplyForFastIO
RxGetMaxWorkerThreadCount
RxGetWorkerThreadAddressList
SunRpcGetRxStats
SunRpcConnect
SunRpcDisconnect
SunRpcBuildReply
SunRpcSendFastAndDestroy
SunRpcSend
SunRpcFreeEndpoint
SunRpcUnregister2
SunRpcRegister
SunRpcDestroy
SunRpcBuildCall
SunRpcSendWaitReply
SunRpcUnregister

msnfsflt.sys

MsNfsFltUnRegisterServer
MsNfsFltUnRegisterDynamicThread
MsNfsFltRegisterDynamicThread
MsNfsFltCheckFileForActivity
MsNfsFltAttachVolume
MsNfsFltDetachVolume
MsNfsFltRegisterServer

ksecdd.sys

SecLookupAccountSid

Sections

.text
Size: 377KB - Virtual size: 376KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

NONPAGED
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGER32C
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1ef8be1287219803d0f11a88ccd69651

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

rpcxdr.sys

msnfsflt.sys

ksecdd.sys

Sections

.text Size: 377KB - Virtual size: 376KB

NONPAGED Size: 512B - Virtual size: 180B

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 3KB

PAGE Size: 11KB - Virtual size: 10KB

PAGER32C Size: 2KB - Virtual size: 2KB

INIT Size: 7KB - Virtual size: 6KB

.rsrc Size: 11KB - Virtual size: 10KB

.reloc Size: 29KB - Virtual size: 28KB

.text
Size: 377KB - Virtual size: 376KB

NONPAGED
Size: 512B - Virtual size: 180B

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 3KB

PAGE
Size: 11KB - Virtual size: 10KB

PAGER32C
Size: 2KB - Virtual size: 2KB

INIT
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 11KB - Virtual size: 10KB

.reloc
Size: 29KB - Virtual size: 28KB