ScreenShot
| Created | 2021.07.26 09:29 | Machine | s1_win7_x6402 |
| Filename | 1apEoaC4M5a.sys | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 7 detected (MalDrv, GenericFCA, ai score=89, CLASSIC) | ||
| md5 | e2c146a2522e4f40e5036c3fe12c3560 | ||
| sha256 | 2303b69f630d35d7eae22d30c5efeb76d6d89e80c7be9365b90db44e5ce5e94a | ||
| ssdeep | 49152:C84VT+ssMKbpbgNEAYWQmZBwp27tJ+xUuRY:C8iTAyzY3nutIyKY | ||
| imphash | 4e97d36152e8092401db2cdcda243920 | ||
| impfuzzy | 48:9SJ/JPJ0kPHP9PDJ65ahDu93JsUOq0V0KqMQM8Sck4ngMZZPqj9qw7qES6dwpO:sJG5a8Z5YV7orDngL0wO7TO | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
FLTMGR.SYS
0x140078000 FltRegisterFilter
0x140078008 FltUnregisterFilter
0x140078010 FltStartFiltering
0x140078018 FltAllocatePoolAlignedWithTag
0x140078020 FltGetFileNameInformation
0x140078028 FltReleaseFileNameInformation
0x140078030 FltParseFileNameInformation
0x140078038 FltReadFile
0x140078040 FltQueryInformationFile
0x140078048 FltSetInformationFile
NETIO.SYS
0x140078058 WskCaptureProviderNPI
0x140078060 WskReleaseProviderNPI
0x140078068 WskDeregister
0x140078070 WskRegister
ntoskrnl.exe
0x140078080 RtlAssert
0x140078088 RtlInitUnicodeString
0x140078090 DbgPrint
0x140078098 KeInitializeEvent
0x1400780a0 KeSetEvent
0x1400780a8 KeDelayExecutionThread
0x1400780b0 KeWaitForSingleObject
0x1400780b8 KeQueryTimeIncrement
0x1400780c0 ExAllocatePool
0x1400780c8 ExFreePoolWithTag
0x1400780d0 MmProbeAndLockPages
0x1400780d8 MmUnlockPages
0x1400780e0 IoAllocateIrp
0x1400780e8 IoAllocateMdl
0x1400780f0 IoCancelIrp
0x1400780f8 IoFreeIrp
0x140078100 IoFreeMdl
0x140078108 __C_specific_handler
0x140078110 KeInitializeMutex
0x140078118 KeReleaseMutex
0x140078120 KeAcquireSpinLockRaiseToDpc
0x140078128 KeReleaseSpinLock
0x140078130 ExAcquireFastMutex
0x140078138 ExReleaseFastMutex
0x140078140 ZwCreateFile
0x140078148 ZwQueryInformationFile
0x140078150 ZwSetInformationFile
0x140078158 ZwReadFile
0x140078160 ZwWriteFile
0x140078168 ZwClose
0x140078170 ZwDeleteFile
0x140078178 RtlCompareUnicodeString
0x140078180 RtlCopyUnicodeString
0x140078188 ExAllocatePoolWithTag
0x140078190 ObfDereferenceObject
0x140078198 PsGetProcessId
0x1400781a0 ZwTerminateProcess
0x1400781a8 ZwOpenProcess
0x1400781b0 PsLookupProcessByProcessId
0x1400781b8 PsGetProcessImageFileName
0x1400781c0 ZwQuerySystemInformation
0x1400781c8 ZwCreateKey
0x1400781d0 ZwOpenKey
0x1400781d8 ZwDeleteValueKey
0x1400781e0 ZwEnumerateKey
0x1400781e8 ZwQueryKey
0x1400781f0 ZwQueryValueKey
0x1400781f8 ZwSetValueKey
0x140078200 RtlUnicodeStringToAnsiString
0x140078208 RtlFreeAnsiString
0x140078210 MmGetSystemRoutineAddress
0x140078218 PsCreateSystemThread
0x140078220 ObReferenceObjectByHandle
0x140078228 ZwOpenFile
0x140078230 PsGetCurrentThreadId
0x140078238 IoQueryFileDosDeviceName
0x140078240 sprintf_s
0x140078248 IoFileObjectType
0x140078250 ExQueryDepthSList
0x140078258 ExpInterlockedPopEntrySList
0x140078260 ExpInterlockedPushEntrySList
0x140078268 ExInitializeNPagedLookasideList
0x140078270 ExDeleteNPagedLookasideList
0x140078278 RtlInitAnsiString
0x140078280 RtlAnsiStringToUnicodeString
0x140078288 RtlFreeUnicodeString
0x140078290 PsGetCurrentProcessId
0x140078298 PsGetThreadId
0x1400782a0 IoThreadToProcess
0x1400782a8 ObReferenceObjectByName
0x1400782b0 IoDriverObjectType
0x1400782b8 ExGetPreviousMode
0x1400782c0 CmRegisterCallback
0x1400782c8 CmUnRegisterCallback
0x1400782d0 MmIsAddressValid
0x1400782d8 ObQueryNameString
0x1400782e0 KeEnterCriticalRegion
0x1400782e8 KeLeaveCriticalRegion
0x1400782f0 ExInitializeResourceLite
0x1400782f8 ExAcquireResourceExclusiveLite
0x140078300 ExReleaseResourceLite
0x140078308 ExDeleteResourceLite
0x140078310 RtlInitializeGenericTable
0x140078318 RtlDeleteElementGenericTable
0x140078320 RtlGetElementGenericTable
0x140078328 RtlIsGenericTableEmpty
0x140078330 RtlEqualUnicodeString
0x140078338 ZwDeviceIoControlFile
0x140078340 IofCompleteRequest
0x140078348 IoCreateDevice
0x140078350 IoCreateSymbolicLink
0x140078358 IoDeleteDevice
0x140078360 PsSetCreateProcessNotifyRoutineEx
0x140078368 KeResetEvent
0x140078370 IoReuseIrp
0x140078378 RtlUnicodeToMultiByteN
0x140078380 RtlAnsiCharToUnicodeChar
0x140078388 KeBugCheckEx
EAT(Export Address Table) is none
FLTMGR.SYS
0x140078000 FltRegisterFilter
0x140078008 FltUnregisterFilter
0x140078010 FltStartFiltering
0x140078018 FltAllocatePoolAlignedWithTag
0x140078020 FltGetFileNameInformation
0x140078028 FltReleaseFileNameInformation
0x140078030 FltParseFileNameInformation
0x140078038 FltReadFile
0x140078040 FltQueryInformationFile
0x140078048 FltSetInformationFile
NETIO.SYS
0x140078058 WskCaptureProviderNPI
0x140078060 WskReleaseProviderNPI
0x140078068 WskDeregister
0x140078070 WskRegister
ntoskrnl.exe
0x140078080 RtlAssert
0x140078088 RtlInitUnicodeString
0x140078090 DbgPrint
0x140078098 KeInitializeEvent
0x1400780a0 KeSetEvent
0x1400780a8 KeDelayExecutionThread
0x1400780b0 KeWaitForSingleObject
0x1400780b8 KeQueryTimeIncrement
0x1400780c0 ExAllocatePool
0x1400780c8 ExFreePoolWithTag
0x1400780d0 MmProbeAndLockPages
0x1400780d8 MmUnlockPages
0x1400780e0 IoAllocateIrp
0x1400780e8 IoAllocateMdl
0x1400780f0 IoCancelIrp
0x1400780f8 IoFreeIrp
0x140078100 IoFreeMdl
0x140078108 __C_specific_handler
0x140078110 KeInitializeMutex
0x140078118 KeReleaseMutex
0x140078120 KeAcquireSpinLockRaiseToDpc
0x140078128 KeReleaseSpinLock
0x140078130 ExAcquireFastMutex
0x140078138 ExReleaseFastMutex
0x140078140 ZwCreateFile
0x140078148 ZwQueryInformationFile
0x140078150 ZwSetInformationFile
0x140078158 ZwReadFile
0x140078160 ZwWriteFile
0x140078168 ZwClose
0x140078170 ZwDeleteFile
0x140078178 RtlCompareUnicodeString
0x140078180 RtlCopyUnicodeString
0x140078188 ExAllocatePoolWithTag
0x140078190 ObfDereferenceObject
0x140078198 PsGetProcessId
0x1400781a0 ZwTerminateProcess
0x1400781a8 ZwOpenProcess
0x1400781b0 PsLookupProcessByProcessId
0x1400781b8 PsGetProcessImageFileName
0x1400781c0 ZwQuerySystemInformation
0x1400781c8 ZwCreateKey
0x1400781d0 ZwOpenKey
0x1400781d8 ZwDeleteValueKey
0x1400781e0 ZwEnumerateKey
0x1400781e8 ZwQueryKey
0x1400781f0 ZwQueryValueKey
0x1400781f8 ZwSetValueKey
0x140078200 RtlUnicodeStringToAnsiString
0x140078208 RtlFreeAnsiString
0x140078210 MmGetSystemRoutineAddress
0x140078218 PsCreateSystemThread
0x140078220 ObReferenceObjectByHandle
0x140078228 ZwOpenFile
0x140078230 PsGetCurrentThreadId
0x140078238 IoQueryFileDosDeviceName
0x140078240 sprintf_s
0x140078248 IoFileObjectType
0x140078250 ExQueryDepthSList
0x140078258 ExpInterlockedPopEntrySList
0x140078260 ExpInterlockedPushEntrySList
0x140078268 ExInitializeNPagedLookasideList
0x140078270 ExDeleteNPagedLookasideList
0x140078278 RtlInitAnsiString
0x140078280 RtlAnsiStringToUnicodeString
0x140078288 RtlFreeUnicodeString
0x140078290 PsGetCurrentProcessId
0x140078298 PsGetThreadId
0x1400782a0 IoThreadToProcess
0x1400782a8 ObReferenceObjectByName
0x1400782b0 IoDriverObjectType
0x1400782b8 ExGetPreviousMode
0x1400782c0 CmRegisterCallback
0x1400782c8 CmUnRegisterCallback
0x1400782d0 MmIsAddressValid
0x1400782d8 ObQueryNameString
0x1400782e0 KeEnterCriticalRegion
0x1400782e8 KeLeaveCriticalRegion
0x1400782f0 ExInitializeResourceLite
0x1400782f8 ExAcquireResourceExclusiveLite
0x140078300 ExReleaseResourceLite
0x140078308 ExDeleteResourceLite
0x140078310 RtlInitializeGenericTable
0x140078318 RtlDeleteElementGenericTable
0x140078320 RtlGetElementGenericTable
0x140078328 RtlIsGenericTableEmpty
0x140078330 RtlEqualUnicodeString
0x140078338 ZwDeviceIoControlFile
0x140078340 IofCompleteRequest
0x140078348 IoCreateDevice
0x140078350 IoCreateSymbolicLink
0x140078358 IoDeleteDevice
0x140078360 PsSetCreateProcessNotifyRoutineEx
0x140078368 KeResetEvent
0x140078370 IoReuseIrp
0x140078378 RtlUnicodeToMultiByteN
0x140078380 RtlAnsiCharToUnicodeChar
0x140078388 KeBugCheckEx
EAT(Export Address Table) is none