6356d7d9-3b82-4731-9d5f-cc9bc37558fc

test2.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 6356d7d9-3b82-4731-9d5f-cc9bc37558fc
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

Download

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2020-08-16 21:38:03
    MD5665a059e07c388eaf57dc04aec0c8552
    SHA1aaa066705016399e8fa11d71df937fd089550064
    SHA2566709a2d7925248fe172e9bc5495f45b9bb74060c43e1c58e671f0e6c434fd82b
    Authentihash MD5ff295de93e6b6dcc3938d50901a7240d
    Authentihash SHA1484c72dd4fd91083b249f3ccc733a3c8335e583f
    Authentihash SHA2560c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Certificates

    Expand
    Certificate 00a7e4ded4bf949d15aa4201843f1ab64d
    FieldValue
    ToBeSigned (TBS) MD5a999fc8af07f531dd59dcb4b972e90a1
    ToBeSigned (TBS) SHA1118bc957893b1d91a35e13a91b209729b6561722
    ToBeSigned (TBS) SHA256c68fba18b2592dc3c38394ced6857c78ac7e93d7939ee16db4f07ac6607c68de
    SubjectC=DE, postalCode=66625, ST=Saarland, L=Nohfelden, ??=Obere Seestrasse 13, O=1.A Connect GmbH, OU=Management, CN=1.A Connect GmbH
    ValidFrom2018-08-13 00:00:00
    ValidTo2022-08-13 23:59:59
    Signaturea17f7613d7b3b098555faa45c76f490612d91d968017212ec35725598d6490a9c7ab1f4eea77ddbc9504121362cdc70e800112726c2861a359948d752cd8b2da45216da758545c5f2544b2f45f8db1145b82dbe2f42096cfa1768a4f53560607c2f0b16ad9eff4c4f37c25ca964ef5a40ce93c1ff8efecd883202627907f96e6af3b418789adfe6afdc3aa5e6e5d27f387455c9d2d83cf27ded71661e8c4c0bc72a2f06ea0f4b3c23939ba6be4b50e98d0bb3f730913b99f35a210e853ced120a625367b40a124f2da476b77a17a3ef4d3d48a56709ee92f18f59e40c89a8b74a2d01053fddcb480412dbe49c77d397296928d5089c92fc8d658909ba016ad17
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber00a7e4ded4bf949d15aa4201843f1ab64d
    Version3
    Certificate 2e7c87cc0e934a52fe94fd1cb7cd34af
    FieldValue
    ToBeSigned (TBS) MD5f64df7e88bb2b95c7204bc07bb197a87
    ToBeSigned (TBS) SHA1a1bfa9f0f46a1e9ac66259c9b2b1b2dcaf16db9b
    ToBeSigned (TBS) SHA256a3dd3858c0e514dd37cacd5f23fc8222443ff636eef4a9fe90bc0ecbbb051fd1
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA
    ValidFrom2013-05-09 00:00:00
    ValidTo2028-05-08 23:59:59
    Signature023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber2e7c87cc0e934a52fe94fd1cb7cd34af
    Version3
    Certificate 300f6facdd6698747ca94636a7782db9
    FieldValue
    ToBeSigned (TBS) MD563499ed59a1293b786649470e4ce0bd7
    ToBeSigned (TBS) SHA17309d8eaa65da1f3da7030c08f00a3b0a20fa908
    ToBeSigned (TBS) SHA2568c8d2046b29e792e71b28705fe67c435208a336dde074a75452d98e72c734937
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA
    ValidFrom2019-05-02 00:00:00
    ValidTo2038-01-18 23:59:59
    Signature6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber300f6facdd6698747ca94636a7782db9
    Version3
    Certificate 008c77a0008ff4d1b0c63d9f3a48838d6b
    FieldValue
    ToBeSigned (TBS) MD56efd500ce038df7aa3087c1e63a5eb5c
    ToBeSigned (TBS) SHA11c961712a02fb995c585080eda53a753656ca3ad
    ToBeSigned (TBS) SHA256f60d4f8f7b56499de889264b1e64890694c5b106129d3db068976ed33495577a
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2
    ValidFrom2020-10-23 00:00:00
    ValidTo2032-01-22 23:59:59
    Signature4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityFalse
    SerialNumber008c77a0008ff4d1b0c63d9f3a48838d6b
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • NtQuerySystemInformation
    • RtlInitUnicodeString
    • ExAllocatePool
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • _wcsicmp
    • RtlInitString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • IoGetDeviceObjectPointer
    • ZwClose
    • MmIsAddressValid
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObReferenceObjectByName
    • ZwQuerySystemInformation
    • __C_specific_handler
    • MmHighestUserAddress
    • IoDriverObjectType
    • KeQueryTimeIncrement
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessPeb
    • MmUnlockPages
    • MmGetSystemRoutineAddress
    • MmUnmapLockedPages
    • IoFreeMdl
    • ZwTerminateProcess
    • PsGetProcessImageFileName
    • ObOpenObjectByPointer
    • PsReferenceProcessFilePointer
    • IoQueryFileDosDeviceName
    • ZwQueryVirtualMemory
    • MmProbeAndLockPages
    • PsLookupProcessByProcessId
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • IoGetCurrentProcess
    • MmCopyVirtualMemory
    • KeClearEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • MmMapLockedPages
    • ObReferenceObjectByHandle
    • PsSetCreateProcessNotifyRoutineEx
    • PsSetCreateThreadNotifyRoutine
    • PsRemoveCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • ExEventObjectType
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • ObGetFilterVersion
    • IoThreadToProcess
    • strcmp
    • PsProcessType
    • PsThreadType
    • RtlGetVersion
    • ObfReferenceObject
    • ObGetObjectType
    • ExEnumHandleTable
    • ExfUnblockPushLock
    • _snprintf
    • vsprintf_s
    • ZwCreateFile
    • ZwWriteFile
    • PsLookupThreadByThreadId
    • NtQueryInformationThread
    • PsGetThreadProcess
    • DbgPrint
    • KeDelayExecutionThread
    • KdDisableDebugger
    • KdChangeOption
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • KdDebuggerEnabled
    • PsGetVersion
    • KeInitializeEvent
    • RtlCopyUnicodeString
    • ObfDereferenceObject
    • ExReleaseFastMutex
    • ExAcquireFastMutex
    • MmBuildMdlForNonPagedPool
    • WdfVersionBindClass
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .upx0
    • .reloc
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "00a7e4ded4bf949d15aa4201843f1ab64d",
      "Signature": "a17f7613d7b3b098555faa45c76f490612d91d968017212ec35725598d6490a9c7ab1f4eea77ddbc9504121362cdc70e800112726c2861a359948d752cd8b2da45216da758545c5f2544b2f45f8db1145b82dbe2f42096cfa1768a4f53560607c2f0b16ad9eff4c4f37c25ca964ef5a40ce93c1ff8efecd883202627907f96e6af3b418789adfe6afdc3aa5e6e5d27f387455c9d2d83cf27ded71661e8c4c0bc72a2f06ea0f4b3c23939ba6be4b50e98d0bb3f730913b99f35a210e853ced120a625367b40a124f2da476b77a17a3ef4d3d48a56709ee92f18f59e40c89a8b74a2d01053fddcb480412dbe49c77d397296928d5089c92fc8d658909ba016ad17",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=DE, postalCode=66625, ST=Saarland, L=Nohfelden, ??=Obere Seestrasse 13, O=1.A Connect GmbH, OU=Management, CN=1.A Connect GmbH",
      "TBS": {
        "MD5": "a999fc8af07f531dd59dcb4b972e90a1",
        "SHA1": "118bc957893b1d91a35e13a91b209729b6561722",
        "SHA256": "c68fba18b2592dc3c38394ced6857c78ac7e93d7939ee16db4f07ac6607c68de",
        "SHA384": "62678cf106b6763f89a3c04ce67549f949633a3bfeeb562198f4933a2ba2084a006afaf122e814bdaa6b2cedd80c3a4d"
      },
      "ValidFrom": "2018-08-13 00:00:00",
      "ValidTo": "2022-08-13 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "2e7c87cc0e934a52fe94fd1cb7cd34af",
      "Signature": "023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA",
      "TBS": {
        "MD5": "f64df7e88bb2b95c7204bc07bb197a87",
        "SHA1": "a1bfa9f0f46a1e9ac66259c9b2b1b2dcaf16db9b",
        "SHA256": "a3dd3858c0e514dd37cacd5f23fc8222443ff636eef4a9fe90bc0ecbbb051fd1",
        "SHA384": "4805a7e23d6c8ff5e149f197b744bcb2346e73f19a48835a2f64129183981109256b75ea371a331746d01fd4e135ab6e"
      },
      "ValidFrom": "2013-05-09 00:00:00",
      "ValidTo": "2028-05-08 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "300f6facdd6698747ca94636a7782db9",
      "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA",
      "TBS": {
        "MD5": "63499ed59a1293b786649470e4ce0bd7",
        "SHA1": "7309d8eaa65da1f3da7030c08f00a3b0a20fa908",
        "SHA256": "8c8d2046b29e792e71b28705fe67c435208a336dde074a75452d98e72c734937",
        "SHA384": "5dbc5eae13908fee4c4e5216f87e3e87208fff0d1052f5fa9f0856a429d6a6c422c625f2318f2f29aea26ece09c1e811"
      },
      "ValidFrom": "2019-05-02 00:00:00",
      "ValidTo": "2038-01-18 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "008c77a0008ff4d1b0c63d9f3a48838d6b",
      "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2",
      "TBS": {
        "MD5": "6efd500ce038df7aa3087c1e63a5eb5c",
        "SHA1": "1c961712a02fb995c585080eda53a753656ca3ad",
        "SHA256": "f60d4f8f7b56499de889264b1e64890694c5b106129d3db068976ed33495577a",
        "SHA384": "031fdf7c078e205b4d3ffaff40de36f48f91f87c3b0005b482ff614b320f5e47785045cb87a3e6a75085c24ae8409498"
      },
      "ValidFrom": "2020-10-23 00:00:00",
      "ValidTo": "2032-01-22 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA",
      "SerialNumber": "00a7e4ded4bf949d15aa4201843f1ab64d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09