ScreenShot
| Created | 2023.08.09 17:14 | Machine | s1_win7_x6403 |
| Filename | Terminator.sys | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 16 detected (Common, unsafe, VulDriver, Windows, VulnDriver, CVE-2021-3172, Driver, Spyboy, Detected, cve202131728, susgen, MALICIOUS) | ||
| md5 | 21e13f2cb269defeae5e1d09887d47bb | ||
| sha256 | 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 | ||
| ssdeep | 3072:uIYCsz96ZvVJ9b9sJCfShQ0/COLYYfUFtKXFZHOaIKyAYrPcQL9Rsm:uhCS8Bh3SaeCWYE1Oncovsm | ||
| imphash | 3edc60bda68569cac7ad7604728ff40d | ||
| impfuzzy | 48:fmmPQQgOsBlpyJ6VAwYkjlqxH6Hs548URnQd30usEFQ/kY2VFkRkJXBJD9PHPkPr:ulQgJywW5t54rnQdxCumqoV | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntoskrnl.exe
0x1400240a8 FsRtlIsNameInExpression
0x1400240b0 PsGetProcessImageFileName
0x1400240b8 ZwQueryInformationProcess
0x1400240c0 __C_specific_handler
0x1400240c8 strchr
0x1400240d0 RtlAppendUnicodeToString
0x1400240d8 KeInitializeSemaphore
0x1400240e0 KeReleaseSemaphore
0x1400240e8 KeWaitForSingleObject
0x1400240f0 KeAcquireSpinLockRaiseToDpc
0x1400240f8 KeReleaseSpinLock
0x140024100 PsCreateSystemThread
0x140024108 PsTerminateSystemThread
0x140024110 ZwQueryInformationFile
0x140024118 ZwWriteFile
0x140024120 PsGetCurrentThreadId
0x140024128 ZwDeleteFile
0x140024130 _vsnprintf
0x140024138 PsThreadType
0x140024140 PsSetCreateProcessNotifyRoutine
0x140024148 PsGetProcessSessionId
0x140024150 RtlAppendUnicodeStringToString
0x140024158 ZwDeleteValueKey
0x140024160 ZwSetValueKey
0x140024168 towupper
0x140024170 RtlIntegerToUnicodeString
0x140024178 KeInitializeEvent
0x140024180 KeSetEvent
0x140024188 KeAcquireSpinLockAtDpcLevel
0x140024190 KeReleaseSpinLockFromDpcLevel
0x140024198 MmProbeAndLockPages
0x1400241a0 IoAllocateIrp
0x1400241a8 IoAllocateMdl
0x1400241b0 IofCallDriver
0x1400241b8 IoFreeIrp
0x1400241c0 IoFreeMdl
0x1400241c8 IoGetDeviceObjectPointer
0x1400241d0 IoGetRelatedDeviceObject
0x1400241d8 ObCloseHandle
0x1400241e0 ObfReferenceObject
0x1400241e8 ZwSetInformationFile
0x1400241f0 ZwReadFile
0x1400241f8 ZwOpenSymbolicLinkObject
0x140024200 ZwQuerySymbolicLinkObject
0x140024208 IoCreateFileSpecifyDeviceObjectHint
0x140024210 IoGetDeviceAttachmentBaseRef
0x140024218 FsRtlGetFileSize
0x140024220 ObQueryNameString
0x140024228 IoFileObjectType
0x140024230 KeReadStateEvent
0x140024238 ExQueueWorkItem
0x140024240 ExGetPreviousMode
0x140024248 MmGetSystemRoutineAddress
0x140024250 NtOpenProcess
0x140024258 ZwCreateEvent
0x140024260 ZwWaitForSingleObject
0x140024268 ZwSetEvent
0x140024270 NtQuerySystemInformation
0x140024278 ExEventObjectType
0x140024280 NtBuildNumber
0x140024288 ZwDeleteKey
0x140024290 ObReferenceObjectByName
0x140024298 IoDriverObjectType
0x1400242a0 MmIsDriverVerifying
0x1400242a8 IofCompleteRequest
0x1400242b0 IoCreateDevice
0x1400242b8 IoCreateSymbolicLink
0x1400242c0 IoDeleteDevice
0x1400242c8 IoDeleteSymbolicLink
0x1400242d0 RtlSetDaclSecurityDescriptor
0x1400242d8 MmMapLockedPagesSpecifyCache
0x1400242e0 PsGetProcessId
0x1400242e8 IoThreadToProcess
0x1400242f0 PsGetCurrentProcessSessionId
0x1400242f8 ZwTerminateProcess
0x140024300 KeStackAttachProcess
0x140024308 KeUnstackDetachProcess
0x140024310 ZwOpenThread
0x140024318 PsProcessType
0x140024320 ExInterlockedInsertHeadList
0x140024328 ExInterlockedRemoveHeadList
0x140024330 CmRegisterCallback
0x140024338 CmUnRegisterCallback
0x140024340 RtlCreateRegistryKey
0x140024348 ZwOpenKey
0x140024350 ZwEnumerateKey
0x140024358 ZwQueryKey
0x140024360 ZwQueryValueKey
0x140024368 RtlUnicodeStringToAnsiString
0x140024370 RtlFreeAnsiString
0x140024378 ProbeForWrite
0x140024380 PsSetLoadImageNotifyRoutine
0x140024388 PsRemoveLoadImageNotifyRoutine
0x140024390 PsGetProcessSectionBaseAddress
0x140024398 MmSystemRangeStart
0x1400243a0 KeBugCheckEx
0x1400243a8 PsLookupProcessByProcessId
0x1400243b0 ZwOpenProcess
0x1400243b8 PsGetCurrentProcessId
0x1400243c0 RtlUpcaseUnicodeString
0x1400243c8 RtlUpperString
0x1400243d0 ZwClose
0x1400243d8 ZwCreateFile
0x1400243e0 ObfDereferenceObject
0x1400243e8 ObReferenceObjectByHandle
0x1400243f0 ProbeForRead
0x1400243f8 ExFreePoolWithTag
0x140024400 ExAllocatePoolWithTag
0x140024408 KeDelayExecutionThread
0x140024410 RtlGetVersion
0x140024418 DbgPrint
0x140024420 RtlCopyUnicodeString
0x140024428 RtlInitUnicodeString
0x140024430 wcsstr
0x140024438 ZwQuerySystemInformation
0x140024440 strstr
FLTMGR.SYS
0x140024008 FltSendMessage
0x140024010 FltCloseCommunicationPort
0x140024018 FltCreateCommunicationPort
0x140024020 FltReleaseContext
0x140024028 FltGetStreamHandleContext
0x140024030 FltSetStreamHandleContext
0x140024038 FltAllocateContext
0x140024040 FltCancelFileOpen
0x140024048 FltQueryInformationFile
0x140024050 FltReadFile
0x140024058 FltParseFileNameInformation
0x140024060 FltReleaseFileNameInformation
0x140024068 FltGetFileNameInformation
0x140024070 FltFreePoolAlignedWithTag
0x140024078 FltAllocatePoolAlignedWithTag
0x140024080 FltStartFiltering
0x140024088 FltUnregisterFilter
0x140024090 FltRegisterFilter
0x140024098 FltBuildDefaultSecurityDescriptor
EAT(Export Address Table) is none
ntoskrnl.exe
0x1400240a8 FsRtlIsNameInExpression
0x1400240b0 PsGetProcessImageFileName
0x1400240b8 ZwQueryInformationProcess
0x1400240c0 __C_specific_handler
0x1400240c8 strchr
0x1400240d0 RtlAppendUnicodeToString
0x1400240d8 KeInitializeSemaphore
0x1400240e0 KeReleaseSemaphore
0x1400240e8 KeWaitForSingleObject
0x1400240f0 KeAcquireSpinLockRaiseToDpc
0x1400240f8 KeReleaseSpinLock
0x140024100 PsCreateSystemThread
0x140024108 PsTerminateSystemThread
0x140024110 ZwQueryInformationFile
0x140024118 ZwWriteFile
0x140024120 PsGetCurrentThreadId
0x140024128 ZwDeleteFile
0x140024130 _vsnprintf
0x140024138 PsThreadType
0x140024140 PsSetCreateProcessNotifyRoutine
0x140024148 PsGetProcessSessionId
0x140024150 RtlAppendUnicodeStringToString
0x140024158 ZwDeleteValueKey
0x140024160 ZwSetValueKey
0x140024168 towupper
0x140024170 RtlIntegerToUnicodeString
0x140024178 KeInitializeEvent
0x140024180 KeSetEvent
0x140024188 KeAcquireSpinLockAtDpcLevel
0x140024190 KeReleaseSpinLockFromDpcLevel
0x140024198 MmProbeAndLockPages
0x1400241a0 IoAllocateIrp
0x1400241a8 IoAllocateMdl
0x1400241b0 IofCallDriver
0x1400241b8 IoFreeIrp
0x1400241c0 IoFreeMdl
0x1400241c8 IoGetDeviceObjectPointer
0x1400241d0 IoGetRelatedDeviceObject
0x1400241d8 ObCloseHandle
0x1400241e0 ObfReferenceObject
0x1400241e8 ZwSetInformationFile
0x1400241f0 ZwReadFile
0x1400241f8 ZwOpenSymbolicLinkObject
0x140024200 ZwQuerySymbolicLinkObject
0x140024208 IoCreateFileSpecifyDeviceObjectHint
0x140024210 IoGetDeviceAttachmentBaseRef
0x140024218 FsRtlGetFileSize
0x140024220 ObQueryNameString
0x140024228 IoFileObjectType
0x140024230 KeReadStateEvent
0x140024238 ExQueueWorkItem
0x140024240 ExGetPreviousMode
0x140024248 MmGetSystemRoutineAddress
0x140024250 NtOpenProcess
0x140024258 ZwCreateEvent
0x140024260 ZwWaitForSingleObject
0x140024268 ZwSetEvent
0x140024270 NtQuerySystemInformation
0x140024278 ExEventObjectType
0x140024280 NtBuildNumber
0x140024288 ZwDeleteKey
0x140024290 ObReferenceObjectByName
0x140024298 IoDriverObjectType
0x1400242a0 MmIsDriverVerifying
0x1400242a8 IofCompleteRequest
0x1400242b0 IoCreateDevice
0x1400242b8 IoCreateSymbolicLink
0x1400242c0 IoDeleteDevice
0x1400242c8 IoDeleteSymbolicLink
0x1400242d0 RtlSetDaclSecurityDescriptor
0x1400242d8 MmMapLockedPagesSpecifyCache
0x1400242e0 PsGetProcessId
0x1400242e8 IoThreadToProcess
0x1400242f0 PsGetCurrentProcessSessionId
0x1400242f8 ZwTerminateProcess
0x140024300 KeStackAttachProcess
0x140024308 KeUnstackDetachProcess
0x140024310 ZwOpenThread
0x140024318 PsProcessType
0x140024320 ExInterlockedInsertHeadList
0x140024328 ExInterlockedRemoveHeadList
0x140024330 CmRegisterCallback
0x140024338 CmUnRegisterCallback
0x140024340 RtlCreateRegistryKey
0x140024348 ZwOpenKey
0x140024350 ZwEnumerateKey
0x140024358 ZwQueryKey
0x140024360 ZwQueryValueKey
0x140024368 RtlUnicodeStringToAnsiString
0x140024370 RtlFreeAnsiString
0x140024378 ProbeForWrite
0x140024380 PsSetLoadImageNotifyRoutine
0x140024388 PsRemoveLoadImageNotifyRoutine
0x140024390 PsGetProcessSectionBaseAddress
0x140024398 MmSystemRangeStart
0x1400243a0 KeBugCheckEx
0x1400243a8 PsLookupProcessByProcessId
0x1400243b0 ZwOpenProcess
0x1400243b8 PsGetCurrentProcessId
0x1400243c0 RtlUpcaseUnicodeString
0x1400243c8 RtlUpperString
0x1400243d0 ZwClose
0x1400243d8 ZwCreateFile
0x1400243e0 ObfDereferenceObject
0x1400243e8 ObReferenceObjectByHandle
0x1400243f0 ProbeForRead
0x1400243f8 ExFreePoolWithTag
0x140024400 ExAllocatePoolWithTag
0x140024408 KeDelayExecutionThread
0x140024410 RtlGetVersion
0x140024418 DbgPrint
0x140024420 RtlCopyUnicodeString
0x140024428 RtlInitUnicodeString
0x140024430 wcsstr
0x140024438 ZwQuerySystemInformation
0x140024440 strstr
FLTMGR.SYS
0x140024008 FltSendMessage
0x140024010 FltCloseCommunicationPort
0x140024018 FltCreateCommunicationPort
0x140024020 FltReleaseContext
0x140024028 FltGetStreamHandleContext
0x140024030 FltSetStreamHandleContext
0x140024038 FltAllocateContext
0x140024040 FltCancelFileOpen
0x140024048 FltQueryInformationFile
0x140024050 FltReadFile
0x140024058 FltParseFileNameInformation
0x140024060 FltReleaseFileNameInformation
0x140024068 FltGetFileNameInformation
0x140024070 FltFreePoolAlignedWithTag
0x140024078 FltAllocatePoolAlignedWithTag
0x140024080 FltStartFiltering
0x140024088 FltUnregisterFilter
0x140024090 FltRegisterFilter
0x140024098 FltBuildDefaultSecurityDescriptor
EAT(Export Address Table) is none