Windows
Analysis Report
ereborlugimli.sys
Overview
General Information
Sample name: | ereborlugimli.sys |
Analysis ID: | 1431620 |
MD5: | eebfa46f56e02488c933c3d6f289c7c2 |
SHA1: | d3cc699a04936324ab29a31a283ea309a10ab27a |
SHA256: | bcbb40015ac5a9fa84232be932a12c0f37c7b482af434eb092f4b25fae706da9 |
Errors
|
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
3% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431620 |
Start date and time: | 2024-04-25 14:37:45 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | ereborlugimli.sys |
Detection: | UNKNOWN |
Classification: | unknown0.winSYS@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: unsuccessful
- Exclude process from analysis (whitelisted): dllhost.exe
File type: | |
Entropy (8bit): | 5.4892453267398835 |
TrID: |
|
File name: | ereborlugimli.sys |
File size: | 40'384 bytes |
MD5: | eebfa46f56e02488c933c3d6f289c7c2 |
SHA1: | d3cc699a04936324ab29a31a283ea309a10ab27a |
SHA256: | bcbb40015ac5a9fa84232be932a12c0f37c7b482af434eb092f4b25fae706da9 |
SHA512: | 1805173b1ac66fabef3873e79d522b131e710416b6214607f31b8465be390b7b39392f6d29ce42f5a035d914ad47903138c072dc088892bc12ff10cd5417c849 |
SSDEEP: | 768:9WaauVbAKn/4bLQ2NMkrWkmpuz7XcVZD59mk1nlv4phOPZsnF:Ztl/4uqIuz7sNP+hOPQF |
TLSH: | 67036D56608D22D1E5AA82FEC9B21346EBB0F4052B5641EF17D084796F73FF1653E312 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.h)...z...z...zH..{...z...z...zH..{...zH..{...zH..{...z...zT..z...{...z...{...z*{.{...z*{.{...zRich...z................PE..d.. |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x140005300 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
Time Stamp: | 0x661FCED5 [Wed Apr 17 13:29:57 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | f2cad1d5d91168e86a6c53144b03fcac |
Signature Valid: | false |
Signature Issuer: | CN="WDKTestCert ereborlugimli,133486784345788048" |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 8E0BF598C15987C560A427F6F129C58B |
Thumbprint SHA-1: | 56200EF9746583E6E970212CCC978745998AA334 |
Thumbprint SHA-256: | 3E52D973FB09E5D53ECB464F3CE5AC34E12B49E3F3F7E993EFB7ADD6A6343ECF |
Serial: | 54E89F00DEC44E9F40393A392B136944 |
Instruction |
---|
dec eax |
mov dword ptr [esp+08h], ebx |
push edi |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, edx |
dec eax |
mov edi, ecx |
call 00007FBBDCBCD830h |
dec eax |
mov edx, ebx |
dec eax |
mov ecx, edi |
call 00007FBBDCBC78B1h |
dec eax |
mov ebx, dword ptr [esp+30h] |
dec eax |
add esp, 20h |
pop edi |
ret |
int3 |
dec eax |
mov eax, esp |
dec eax |
mov dword ptr [eax+08h], ebx |
dec eax |
mov dword ptr [eax+10h], ebp |
dec eax |
mov dword ptr [eax+18h], esi |
dec eax |
mov dword ptr [eax+20h], edi |
inc ecx |
push esi |
dec eax |
sub esp, 30h |
xor ebp, ebp |
dec eax |
mov esi, edx |
dec eax |
mov edi, ecx |
dec eax |
test ecx, ecx |
jne 00007FBBDCBC78ACh |
call 00007FBBDCBCD54Eh |
jmp 00007FBBDCBC7966h |
dec eax |
lea eax, dword ptr [00003DFDh] |
dec eax |
mov dword ptr [0000402Eh], edi |
dec esp |
lea esi, dword ptr [00004007h] |
mov dword ptr [00003FFDh], 02080000h |
dec ecx |
mov ecx, esi |
dec eax |
mov dword ptr [00003FFBh], eax |
dec eax |
call dword ptr [00000ED4h] |
nop dword ptr [eax+eax+00h] |
dec esp |
lea ecx, dword ptr [00003FF8h] |
dec ecx |
mov edx, esi |
dec esp |
lea eax, dword ptr [00003B2Eh] |
dec eax |
mov ecx, edi |
call 00007FBBDCBC7CF5h |
test eax, eax |
js 00007FBBDCBC7911h |
dec eax |
mov eax, dword ptr [00003FD3h] |
dec eax |
lea ecx, dword ptr [00003B14h] |
dec eax |
mov edx, dword ptr [eax+00000648h] |
dec eax |
mov dword ptr [00003F9Eh], edx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb304 | 0x50 | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xa000 | 0x390 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x9600 | 0x7c0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc000 | 0x34 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6760 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6620 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x2a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4c62 | 0x4e00 | c0258e7befa15930586285e4046ee378 | False | 0.5534855769230769 | data | 6.165753815512331 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x6000 | 0xf14 | 0x1000 | 0a3fa804999c52854ae217e7fc365aa3 | False | 0.430419921875 | data | 4.677497907989505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
.data | 0x7000 | 0x23e8 | 0x2000 | 31c0799eaf27c53966c9756388c40e82 | False | 0.082275390625 | data | 1.6936198921249268 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0xa000 | 0x390 | 0x400 | a6a9f134291759ab74045efaaf1c550a | False | 0.5205078125 | data | 3.9352782596690434 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
INIT | 0xb000 | 0xd40 | 0xe00 | f3d95e21bf680c9f6003e1ffce7192c1 | False | 0.51171875 | zlib compressed data | 5.499127463167882 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0xc000 | 0x34 | 0x200 | 9a8070284216bfef1594c635cb087f12 | False | 0.123046875 | data | 0.6688615316230119 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
NETIO.SYS | WskCaptureProviderNPI, WskReleaseProviderNPI, WskQueryProviderCharacteristics, WskDeregister, WskRegister |
ntoskrnl.exe | ExFreePoolWithTag, ZwCreateFile, ZwQueryInformationFile, ZwWriteFile, ZwClose, _vsnwprintf, atoi, KeInitializeEvent, KeClearEvent, KeInitializeSemaphore, KeDelayExecutionThread, KeWaitForSingleObject, KeInitializeSpinLock, KeAcquireSpinLockRaiseToDpc, KeReleaseSpinLock, ExInterlockedInsertTailList, ExInterlockedRemoveHeadList, ExInitializeResourceLite, ExEnterCriticalRegionAndAcquireResourceExclusive, ExReleaseResourceAndLeaveCriticalRegion, ExDeleteResourceLite, PsCreateSystemThread, PsTerminateSystemThread, IoBuildSynchronousFsdRequest, IofCallDriver, IoCancelIrp, IofCompleteRequest, IoCreateDevice, IoDeleteDevice, IoReleaseCancelSpinLock, IoReleaseRemoveLockEx, ObfDereferenceObject, ObReferenceObjectByName, ExAllocatePoolWithTag, strncmp, strstr, ObReferenceObjectByHandleWithTag, ObfDereferenceObjectWithTag, ZwReadFile, __chkstk, PsThreadType, MmGetSystemRoutineAddress, RtlGetVersion, KeSetEvent, MmProbeAndLockPages, MmUnlockPages, IoAllocateIrp, IoAllocateMdl, IoFreeIrp, IoFreeMdl, __C_specific_handler, ExAcquireFastMutex, ExReleaseFastMutex, ExQueryDepthSList, ExpInterlockedPopEntrySList, ExpInterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, RtlInitializeGenericTableAvl, RtlInsertElementGenericTableAvl, RtlDeleteElementGenericTableAvl, RtlLookupElementGenericTableAvl, RtlGetElementGenericTableAvl, isdigit, RtlCopyUnicodeString, DbgPrintEx, RtlAnsiStringToUnicodeString, RtlInitUnicodeString, RtlInitAnsiString, strchr, IoDriverObjectType |
WDFLDR.SYS | WdfVersionBindClass, WdfVersionUnbind, WdfLdrQueryInterface, WdfVersionBind, WdfVersionUnbindClass |