ScreenShot
| Created | 2023.04.25 17:54 | Machine | s1_win7_x6403 |
| Filename | mimidrv.sys | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (Mimikatz, Windows, Hacktool, Malicious, score, unsafe, Tool, Sign, confidence, 100%, Delpy, Eldorado, jsrlpu, GenMaliciousA, CLASSIC, HKTL, MIMIKATZ64, HTool, Apteryx, ai score=89, Detected, R362174, SigAdware, BenjaminDelpy, susgen) | ||
| md5 | 3e528207ca374123f63789195a4aedde | ||
| sha256 | d30f51bfd62695df96ba94cde14a7fae466b29ef45252c6ad19d57b4a87ff44e | ||
| ssdeep | 768:6PVvAF3Sz0Kp4TC/ndBK8ipSPnA+vl1qlCGB8zlu0RVHZC5isg:mVvPz0K3EyDlQlHB8zl9RJwisg | ||
| imphash | 059c6bd84285f4960e767f032b33f19b | ||
| impfuzzy | 24:wzUJ2Pp8P4GoJN+yyzF2Mz9C8gtydHSPK16D8l+yJqBuq1ULERGDOfZRyBzVmiVy:uHOBzlkuJcfvhg42sf6lbjKD4vA | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntoskrnl.exe
0x15030 KeBugCheck
0x15038 IofCompleteRequest
0x15040 IoCreateSymbolicLink
0x15048 IoCreateDevice
0x15050 PsProcessType
0x15058 PsGetProcessImageFileName
0x15060 PsLookupProcessByProcessId
0x15068 PsReferencePrimaryToken
0x15070 ZwOpenProcessTokenEx
0x15078 IoGetCurrentProcess
0x15080 ZwSetInformationProcess
0x15088 ZwClose
0x15090 ZwDuplicateToken
0x15098 PsInitialSystemProcess
0x150a0 _vsnwprintf
0x150a8 ObfDereferenceObject
0x150b0 ObOpenObjectByPointer
0x150b8 PsGetProcessId
0x150c0 PsDereferencePrimaryToken
0x150c8 ExAllocatePoolWithTag
0x150d0 ExFreePoolWithTag
0x150d8 IoFreeMdl
0x150e0 MmProbeAndLockPages
0x150e8 MmUnlockPages
0x150f0 IoAllocateMdl
0x150f8 ZwUnloadKey
0x15100 IoEnumerateRegisteredFiltersList
0x15108 KeBugCheckEx
0x15110 MmGetSystemRoutineAddress
0x15118 IoDeleteDevice
0x15120 RtlInitUnicodeString
0x15128 NtBuildNumber
0x15130 RtlCompareMemory
0x15138 IoDeleteSymbolicLink
0x15140 PsGetVersion
0x15148 ExAllocatePoolWithQuotaTag
0x15150 ZwQuerySystemInformation
0x15158 RtlUnwindEx
FLTMGR.SYS
0x15000 FltGetFilterInformation
0x15008 FltEnumerateInstances
0x15010 FltEnumerateFilters
0x15018 FltObjectDereference
0x15020 FltGetVolumeFromInstance
EAT(Export Address Table) is none
ntoskrnl.exe
0x15030 KeBugCheck
0x15038 IofCompleteRequest
0x15040 IoCreateSymbolicLink
0x15048 IoCreateDevice
0x15050 PsProcessType
0x15058 PsGetProcessImageFileName
0x15060 PsLookupProcessByProcessId
0x15068 PsReferencePrimaryToken
0x15070 ZwOpenProcessTokenEx
0x15078 IoGetCurrentProcess
0x15080 ZwSetInformationProcess
0x15088 ZwClose
0x15090 ZwDuplicateToken
0x15098 PsInitialSystemProcess
0x150a0 _vsnwprintf
0x150a8 ObfDereferenceObject
0x150b0 ObOpenObjectByPointer
0x150b8 PsGetProcessId
0x150c0 PsDereferencePrimaryToken
0x150c8 ExAllocatePoolWithTag
0x150d0 ExFreePoolWithTag
0x150d8 IoFreeMdl
0x150e0 MmProbeAndLockPages
0x150e8 MmUnlockPages
0x150f0 IoAllocateMdl
0x150f8 ZwUnloadKey
0x15100 IoEnumerateRegisteredFiltersList
0x15108 KeBugCheckEx
0x15110 MmGetSystemRoutineAddress
0x15118 IoDeleteDevice
0x15120 RtlInitUnicodeString
0x15128 NtBuildNumber
0x15130 RtlCompareMemory
0x15138 IoDeleteSymbolicLink
0x15140 PsGetVersion
0x15148 ExAllocatePoolWithQuotaTag
0x15150 ZwQuerySystemInformation
0x15158 RtlUnwindEx
FLTMGR.SYS
0x15000 FltGetFilterInformation
0x15008 FltEnumerateInstances
0x15010 FltEnumerateFilters
0x15018 FltObjectDereference
0x15020 FltGetVolumeFromInstance
EAT(Export Address Table) is none