ScreenShot
| Created | 2024.11.01 08:41 | Machine | s1_win7_x6401 |
| Filename | WdBoot.sys | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 13555e269374c1ccf866cfa351625852 | ||
| sha256 | cbd2a1d7a4788ee71bbe28fd521575886ed8d290fa4adebba2db25d5ef4d4a0b | ||
| ssdeep | 768:gqOP5YdzeNU3DqIt3umsmiX1NtohJtGrnndrn9zFHAJ:gqw5Y5/3DqIgmjh6nt9zFgJ | ||
| imphash | 5fee9881decbcd99afe063c90fd54a26 | ||
| impfuzzy | 24:wBuqdGpEpC8qMioB0nADOtfwmiVJRywggvAPKlpk7Us34MM963JdWVXIoCXIoFrj:euE12n4fIdWOECrj | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntoskrnl.exe
0x1c0009058 ExFreePoolWithTag
0x1c0009060 IoWMIRegistrationControl
0x1c0009068 InitSafeBootMode
0x1c0009070 InitializeSListHead
0x1c0009078 CmRegisterCallback
0x1c0009080 ZwClose
0x1c0009088 ZwOpenKey
0x1c0009090 ZwQueryValueKey
0x1c0009098 ExpInterlockedPushEntrySList
0x1c00090a0 CmCallbackGetKeyObjectID
0x1c00090a8 RtlAnsiStringToUnicodeString
0x1c00090b0 ZwDeleteValueKey
0x1c00090b8 RtlInitAnsiString
0x1c00090c0 ZwSetValueKey
0x1c00090c8 RtlCompareMemory
0x1c00090d0 MmGetSystemRoutineAddress
0x1c00090d8 ExNotifyCallback
0x1c00090e0 wcsstr
0x1c00090e8 RtlCopyUnicodeString
0x1c00090f0 RtlInitUnicodeString
0x1c00090f8 ExCreateCallback
0x1c0009100 ObfDereferenceObject
0x1c0009108 CmUnRegisterCallback
0x1c0009110 RtlUpcaseUnicodeChar
0x1c0009118 ExpInterlockedFlushSList
0x1c0009120 RtlEqualUnicodeString
0x1c0009128 __C_specific_handler
0x1c0009130 ZwQuerySystemInformation
0x1c0009138 ExAllocatePoolWithQuotaTag
0x1c0009140 PsGetVersion
0x1c0009148 ExAllocatePoolWithTag
cng.sys
0x1c0009000 BCryptCreateHash
0x1c0009008 BCryptHashData
0x1c0009010 BCryptImportKeyPair
0x1c0009018 BCryptDestroyHash
0x1c0009020 BCryptCloseAlgorithmProvider
0x1c0009028 BCryptFinishHash
0x1c0009030 BCryptOpenAlgorithmProvider
0x1c0009038 BCryptVerifySignature
0x1c0009040 BCryptGetProperty
0x1c0009048 BCryptDestroyKey
EAT(Export Address Table) is none
ntoskrnl.exe
0x1c0009058 ExFreePoolWithTag
0x1c0009060 IoWMIRegistrationControl
0x1c0009068 InitSafeBootMode
0x1c0009070 InitializeSListHead
0x1c0009078 CmRegisterCallback
0x1c0009080 ZwClose
0x1c0009088 ZwOpenKey
0x1c0009090 ZwQueryValueKey
0x1c0009098 ExpInterlockedPushEntrySList
0x1c00090a0 CmCallbackGetKeyObjectID
0x1c00090a8 RtlAnsiStringToUnicodeString
0x1c00090b0 ZwDeleteValueKey
0x1c00090b8 RtlInitAnsiString
0x1c00090c0 ZwSetValueKey
0x1c00090c8 RtlCompareMemory
0x1c00090d0 MmGetSystemRoutineAddress
0x1c00090d8 ExNotifyCallback
0x1c00090e0 wcsstr
0x1c00090e8 RtlCopyUnicodeString
0x1c00090f0 RtlInitUnicodeString
0x1c00090f8 ExCreateCallback
0x1c0009100 ObfDereferenceObject
0x1c0009108 CmUnRegisterCallback
0x1c0009110 RtlUpcaseUnicodeChar
0x1c0009118 ExpInterlockedFlushSList
0x1c0009120 RtlEqualUnicodeString
0x1c0009128 __C_specific_handler
0x1c0009130 ZwQuerySystemInformation
0x1c0009138 ExAllocatePoolWithQuotaTag
0x1c0009140 PsGetVersion
0x1c0009148 ExAllocatePoolWithTag
cng.sys
0x1c0009000 BCryptCreateHash
0x1c0009008 BCryptHashData
0x1c0009010 BCryptImportKeyPair
0x1c0009018 BCryptDestroyHash
0x1c0009020 BCryptCloseAlgorithmProvider
0x1c0009028 BCryptFinishHash
0x1c0009030 BCryptOpenAlgorithmProvider
0x1c0009038 BCryptVerifySignature
0x1c0009040 BCryptGetProperty
0x1c0009048 BCryptDestroyKey
EAT(Export Address Table) is none