75a66604-f024-4f11-8ba7-fdd64a0df3bf

mhyprotnap.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 75a66604-f024-4f11-8ba7-fdd64a0df3bf
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2022-03-28 00:31:12
    MD564ae0358860e2a5b658383f7e651038e
    SHA1acacebea32c33fc1315d9549504a6b0cabd1e974
    SHA25640263b08b3c3659529ab605d1daa3033db0fdc4b19c26aa375be0c19686807e6
    Authentihash MD53a94d517fd2a56f4d20100a8f254b183
    Authentihash SHA105b36efe08674891c40db96cbb5e69abea6f4daf
    Authentihash SHA2569e428c1d1cd7358e2c2f25ede45e718b22cb5d04634a4d1ec08a87e71248685b
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Certificates

    Expand
    Certificate 330000004e595610832b4e0c6c00000000004e
    FieldValue
    ToBeSigned (TBS) MD5cd4b92926b0c62a20cbbf01178422b63
    ToBeSigned (TBS) SHA12172402fc331352ecf707599578205d2ad32da6e
    ToBeSigned (TBS) SHA25616060ca074a311e7fe9d8c47dbdae7dcffb04e6fee1c50b5f3d2c90af8b5fdbc
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2021-09-09 19:16:00
    ValidTo2022-09-01 19:16:00
    Signature7b7b91445abb831e254190c9b985d928d36a304fcd1047a1e72e0fb7a0c533676a5fa6f4071e22878ab6ffbef445846d5bed9fd5e5995fcd1674c9eefe23d3bc0a7b4284573daefcb1eeb5e8e6fe607bb833ae121138cc8ff9239dbcbd784dd74e0b7a489d33cfca295b4bd3e8705f58a8dcf7396d88793e0e9edaace46eed0fd40623826f7770c86a4c5699a9097011fdd8765e8c8550a9e7816e034954ad7cbbc7c61bc9dfc5c5d7c1bd33ec6d9fd8a7e5e1452605850a83017c07b93d35297de19da40b0817897694e1baa9f0e9bf4aed86f1cd872a42af30c8491063aa02b305e6806e83949ceddec43793a03b3d79ec556ba6a3435fcc6775627c694b4180d193ded57885f53217c7e14ca0558f7bb0afdf14f2e07fd8481d15119d90e6b54d39860fca5acb90fa98ed0e85090cabe7de390d74cdc93416c3afc39ba45be2b410e64ca280c41748ba2b2c3fc1e08592b6ed8542f6c5784b7dd3c19641f2758782af123d84d1055eb538a7159b302097cbe6315f5dbdf7b5a0bc62a313e8a330ae1028e8678458c55a5038c8038de55af0c9ec5cbc6eaa7413a5b046364b027cbe2b67de79e7807f09d83dbd55fd34c07f9536a2bf7d216febd30fa3714b580d2c1f9e915010944f8dd74e4b469ff66bf68e14da72ccf2e6d8960387891225a1986d96b4068042352843a5f6ea17cca27d2d7de08e90eaa496983049efe0
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000004e595610832b4e0c6c00000000004e
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • NtQuerySystemInformation
    • RtlInitUnicodeString
    • ExAllocatePool
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoGetCurrentProcess
    • _wcsicmp
    • RtlInitString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • IoGetDeviceObjectPointer
    • ZwClose
    • MmIsAddressValid
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObReferenceObjectByName
    • ZwQuerySystemInformation
    • __C_specific_handler
    • MmHighestUserAddress
    • IoDriverObjectType
    • KeQueryTimeIncrement
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessWow64Process
    • PsGetProcessPeb
    • MmUnlockPages
    • MmGetSystemRoutineAddress
    • MmUnmapLockedPages
    • IoFreeMdl
    • ZwTerminateProcess
    • PsGetProcessImageFileName
    • ZwQueryObject
    • ObOpenObjectByPointer
    • PsReferenceProcessFilePointer
    • IoQueryFileDosDeviceName
    • MmProbeAndLockPages
    • PsLookupProcessByProcessId
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • MmCopyVirtualMemory
    • KeClearEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • MmMapLockedPages
    • ObReferenceObjectByHandle
    • PsSetCreateProcessNotifyRoutineEx
    • PsSetCreateThreadNotifyRoutine
    • PsRemoveCreateThreadNotifyRoutine
    • PsSetLoadImageNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • ExEventObjectType
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • ObGetFilterVersion
    • PsGetProcessId
    • IoThreadToProcess
    • strcmp
    • PsProcessType
    • PsThreadType
    • RtlEqualUnicodeString
    • RtlGetVersion
    • ObfReferenceObject
    • ObGetObjectType
    • ExEnumHandleTable
    • ExfUnblockPushLock
    • PsAcquireProcessExitSynchronization
    • PsReleaseProcessExitSynchronization
    • _snprintf
    • vsprintf_s
    • ZwCreateFile
    • ZwWriteFile
    • PsLookupThreadByThreadId
    • NtQueryInformationThread
    • PsGetThreadProcess
    • KeDelayExecutionThread
    • KdDisableDebugger
    • KdChangeOption
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • KdDebuggerEnabled
    • PsGetVersion
    • KeInitializeEvent
    • RtlCopyUnicodeString
    • ObfDereferenceObject
    • ExReleaseFastMutex
    • ExAcquireFastMutex
    • MmBuildMdlForNonPagedPool
    • WdfVersionBindClass
    • WdfVersionBind
    • WdfVersionUnbind
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .upx0
    • .reloc
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000004e595610832b4e0c6c00000000004e",
      "Signature": "7b7b91445abb831e254190c9b985d928d36a304fcd1047a1e72e0fb7a0c533676a5fa6f4071e22878ab6ffbef445846d5bed9fd5e5995fcd1674c9eefe23d3bc0a7b4284573daefcb1eeb5e8e6fe607bb833ae121138cc8ff9239dbcbd784dd74e0b7a489d33cfca295b4bd3e8705f58a8dcf7396d88793e0e9edaace46eed0fd40623826f7770c86a4c5699a9097011fdd8765e8c8550a9e7816e034954ad7cbbc7c61bc9dfc5c5d7c1bd33ec6d9fd8a7e5e1452605850a83017c07b93d35297de19da40b0817897694e1baa9f0e9bf4aed86f1cd872a42af30c8491063aa02b305e6806e83949ceddec43793a03b3d79ec556ba6a3435fcc6775627c694b4180d193ded57885f53217c7e14ca0558f7bb0afdf14f2e07fd8481d15119d90e6b54d39860fca5acb90fa98ed0e85090cabe7de390d74cdc93416c3afc39ba45be2b410e64ca280c41748ba2b2c3fc1e08592b6ed8542f6c5784b7dd3c19641f2758782af123d84d1055eb538a7159b302097cbe6315f5dbdf7b5a0bc62a313e8a330ae1028e8678458c55a5038c8038de55af0c9ec5cbc6eaa7413a5b046364b027cbe2b67de79e7807f09d83dbd55fd34c07f9536a2bf7d216febd30fa3714b580d2c1f9e915010944f8dd74e4b469ff66bf68e14da72ccf2e6d8960387891225a1986d96b4068042352843a5f6ea17cca27d2d7de08e90eaa496983049efe0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "cd4b92926b0c62a20cbbf01178422b63",
        "SHA1": "2172402fc331352ecf707599578205d2ad32da6e",
        "SHA256": "16060ca074a311e7fe9d8c47dbdae7dcffb04e6fee1c50b5f3d2c90af8b5fdbc",
        "SHA384": "8ae2ad20d42c9eb0d4b570c58d76395f896230e0a235f1d73f281d4df028174a4a457e7794514b47f39659f2a62212f3"
      },
      "ValidFrom": "2021-09-09 19:16:00",
      "ValidTo": "2022-09-01 19:16:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000004e595610832b4e0c6c00000000004e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26