Windows Analysis Report
tcpip.sys

Overview

General Information

Sample name: tcpip.sys
Analysis ID: 1432029
MD5: 383a0ff58bb4835a540c6304a0779b7f
SHA1: b0bdda9f75085e8011c2527cbaeae03b502793e8
SHA256: bb66260d219843cfa2ef7f92b839ad16bf47413429c883cfea0b441f4a02d1f0
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: driver entrypoint not found

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

Source: tcpip.sys Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: Binary string: tcpip.pdbUGP source: tcpip.sys
Source: Binary string: tcpip.pdb source: tcpip.sys

Networking
barindex
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: tcpip.sys Static PE information: Found NDIS imports: IPsecDriverInitiateAcquire, IPsecDriverExpire, IPsecDriverSaOffloaded, IPsecDriverProcessClearTextResponse, FwppBfeStateGetResetCount0, FwppDispatchDevCtl0, FwpsRequestEndpointDeleteNotification0, FwpsCancelEndpointDeleteNotification0, FwpsForceReclassifyLayer0, FwpsFreeNetBufferList0, FwpsReassembleForwardFragmentGroup0, FwppvSwitchFreeVmSwitchNblInfo, FwpsFreeCloneNetBufferList0, FwpsReleaseClassifyHandle0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsAcquireClassifyHandle0, FwpsClassifyOptionSet0, FwpmBfeStateUnsubscribeChanges0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpsFlowAssociateContext0, FwpmEngineClose0, FwpmEngineOpen0, FwppVpnTriggerEventFire0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwppvSwitchGetDestinationInterface, FwppvSwitchGetDestinationArray, FwppvSwitchCopyVmSwitchNblInfo, FwppDereferencevSwitchNblContext, FwppReferencevSwitchNblContext, FwpsInjectNetworkReceiveAsync0, FwppAllocateNetioCloneNetBufferList, FwpsNetBufferListRetrieveContext0, FwppGetvSwitchNblContext, FwppProcessorAddHandler, FwpsIPSecGetPacketListSecurityInformation, FwppNetBufferListAssociateContext, FwpsQueryPacketInjectionState0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsInjectTransportSendAsync1, FwpsConstructIpHeaderForTransportPacket0, FwpsAllocateCloneNetBufferList0, FwpsTcpIpDispatchTableAndGlobalsSet0, FwpsTcpIpDispatchTableClear0, FwppNetBufferListEventNotify, FwpsCalloutUnregisterByKey0, FwpsCalloutRegisterWithoutDevice0, FwpsProxiedEndpointUnRegisterForExitingEndpoint, FwpsProxiedEndpointClassifiableFieldGet, FwpsProxiedEndpointMetadataValueGet, FwpsProxiedEndpointRegisterForExitingEndpoint, FwpsProxiedEndpointWasRedirectedToProxy
PE / OLE file has an invalid certificate
Source: tcpip.sys Static PE information: invalid certificate
PE file contains more sections than normal
Source: tcpip.sys Static PE information: Number of sections : 17 > 10
Source: tcpip.sys Binary string: Lsite prefix entry (IPNG)IPv6 router advertisement packet (IPNG)IPv6 router solicitation packet (IPNG)IPv6 potential router (IPNG)IPv6 echo data MDL (IPNG)IPv6 echo reply MDL (IPNG)IPv6 echo options MDL (IPNG)IPv6 echo ancillary data (IPNG)IPv6 echo request (IPNG)IPv6 send fragment (IPNG)IPv6 reassembly structure (IPNG)IPv6 reassembly unfragmentable data (IPNG)shim for IPv6 reassembly (IPNG)IPv6 fragment packet (IPNG)IPv6 new header (IPNG)MLD report packet (IPNG)MLD source list (IPNG)MLD NBL (IPNG)MLD report packet retreat (IPNG)NS packet (IPNG)NA packet (IPNG)IPv6 echo reply packet (IPNG)WOL pattern (FLNG)failed when queueing a REMOVE_OID request (FLNG)TL requested hardware slot but address is not offloadedTL requested hardware slot but FL interface no longer capableinterface (FLNG)Interface AOAC capability was revokedIPv4client interface (FLNG)%luIPv6interface work item (FLNG)interface locks (FLNG)client interface remove lock (FLNG)client interface set (FLNG)Failed to plumb down L2 Unicast Wake\DEVICE\{93123211-9629-4E04-82F0-EA2E4F221468}0x%08lxL2 Unicast TCP WakeTCP V4 PacketTCP V6 PacketUDP PortCoalescedPatternLocalPortPatternTCP PortCoalescedPatternL2 Unicast UDP WakeDL address allocation helper (FLNG)isolation interface info (FLNG)Microsoft Hyper-V Network Adapterisolation interface (FLNG)%s (%d)compartment rw (FLNG)NDIS luid index (FLNG)isolation parameters (FLNG)\
Source: tcpip.sys Binary string: \Device\TcpAllocHooks\Device\eQoS\Callback\PowerState\KernelObjects\LowMemoryCondition\KernelObjects\HighMemoryCondition\KernelObjects\LowPagedPoolCondition\KernelObjects\HighPagedPoolCondition\KernelObjects\LowNonPagedPoolCondition\KernelObjects\HighNonPagedPoolConditionMD5UdpExemptPortRangePsGetVersionEtwUnregisterWmiTraceMessageWmiQueryTraceInformationEtwRegisterClassicProviderWfpAleReauthorizeConnectionAleEdgeIFsLookupCachedAction
Source: tcpip.sys Binary string: MTUIPAddressDefaultGatewayTcpDelAckTicksInterfaceMetricTypeOfInterfaceTcpAckFrequencyUseZeroBroadcastPerformRouterDiscoverySolicitationAddressBcastIPAutoconfigurationEnabledTCPIP6TCPIPRDMANDKhost/\DosDevices\WFPDev\Device\WFP
Source: tcpip.sys Binary string: \Device\IPSECDOSP\DosDevices\IPSECDOSPDeviceWfpAleInitializeSecurityTrackingGRv
Source: tcpip.sys Binary string: q\Device\NXTIPSEC\DosDevices\NXTIPSECDevice\Device\WfpAle\DosDevices\WfpAleAleDebugEnabledCacheProfileCrossingSetNameOnSecureSocketAleAuthTelemetryThresholdLocalAddrRedirect\Registry\Machine\System\CurrentControlSet\Services\BFE\Parameters\Registry\Machine\System\CurrentControlSet\Services\BFE\Parameters\Policy\OptionsSystemY
Source: classification engine Classification label: sus22.troj.winSYS@0/0@0/0
Source: tcpip.sys Static PE information: Virtual size of .text is bigger than: 0x100000
Source: tcpip.sys Static PE information: Image base 0x1c0000000 > 0x60000000
Source: tcpip.sys Static file information: File size 3298784 > 1048576
Source: tcpip.sys Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1da000
Source: tcpip.sys Static PE information: More than 200 imports for ntoskrnl.exe
Source: tcpip.sys Static PE information: More than 200 imports for NETIO.SYS
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: tcpip.sys Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: tcpip.sys Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: tcpip.pdbUGP source: tcpip.sys
Source: Binary string: tcpip.pdb source: tcpip.sys
Binary contains a suspicious time stamp
Source: tcpip.sys Static PE information: 0xBD850684 [Sat Oct 4 01:29:40 2070 UTC]
PE file contains an invalid checksum
Source: tcpip.sys Static PE information: real checksum: 0x33468a should be: 0x334692
PE file contains sections with non-standard names
Source: tcpip.sys Static PE information: section name: NONPAGE
Source: tcpip.sys Static PE information: section name: PAGEIPSE
Source: tcpip.sys Static PE information: section name: PAGEIDP
Source: tcpip.sys Static PE information: section name: PAGERSS
Source: tcpip.sys Static PE information: section name: fothk
Source: tcpip.sys Static PE information: section name: PAGECONS
Source: tcpip.sys Static PE information: section name: GFIDS
Source: tcpip.sys Binary or memory string: Lsite prefix entry (IPNG)IPv6 router advertisement packet (IPNG)IPv6 router solicitation packet (IPNG)IPv6 potential router (IPNG)IPv6 echo data MDL (IPNG)IPv6 echo reply MDL (IPNG)IPv6 echo options MDL (IPNG)IPv6 echo ancillary data (IPNG)IPv6 echo request (IPNG)IPv6 send fragment (IPNG)IPv6 reassembly structure (IPNG)IPv6 reassembly unfragmentable data (IPNG)shim for IPv6 reassembly (IPNG)IPv6 fragment packet (IPNG)IPv6 new header (IPNG)MLD report packet (IPNG)MLD source list (IPNG)MLD NBL (IPNG)MLD report packet retreat (IPNG)NS packet (IPNG)NA packet (IPNG)IPv6 echo reply packet (IPNG)WOL pattern (FLNG)failed when queueing a REMOVE_OID request (FLNG)TL requested hardware slot but address is not offloadedTL requested hardware slot but FL interface no longer capableinterface (FLNG)Interface AOAC capability was revokedIPv4client interface (FLNG)%luIPv6interface work item (FLNG)interface locks (FLNG)client interface remove lock (FLNG)client interface set (FLNG)Failed to plumb down L2 Unicast Wake\DEVICE\{93123211-9629-4E04-82F0-EA2E4F221468}0x%08lxL2 Unicast TCP WakeTCP V4 PacketTCP V6 PacketUDP PortCoalescedPatternLocalPortPatternTCP PortCoalescedPatternL2 Unicast UDP WakeDL address allocation helper (FLNG)isolation interface info (FLNG)Microsoft Hyper-V Network Adapterisolation interface (FLNG)%s (%d)compartment rw (FLNG)NDIS luid index (FLNG)isolation parameters (FLNG)\

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432029 Sample: tcpip.sys Startdate: 26/04/2024 Architecture: WINDOWS Score: 22 5 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->5
No contacted IP infos