Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
BthA2dp.sys

Overview

General Information

Sample Name:BthA2dp.sys
Analysis ID:1320194
MD5:2b008704767e827e81021743b2b6f336
SHA1:8c65fb4148e3017e9dd856d6e3ba56727eff8715
SHA256:30e37705524fa79d8c09e48665b349f0fcd9021b8244da1a16613cc8c2d58245
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: BthA2dp.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, WDM_DRIVER, GUARD_CF
Source: Binary string: btha2dp.pdbGCTL source: BthA2dp.sys
Source: Binary string: btha2dp.pdb source: BthA2dp.sys
Source: BthA2dp.sysStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: unknown1.winSYS@0/0@0/0
Source: BthA2dp.sysStatic PE information: Image base 0x1c0000000 > 0x60000000
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: BthA2dp.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, WDM_DRIVER, GUARD_CF
Source: BthA2dp.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: btha2dp.pdbGCTL source: BthA2dp.sys
Source: Binary string: btha2dp.pdb source: BthA2dp.sys
Source: BthA2dp.sysStatic PE information: section name: NONPAGE
Source: BthA2dp.sysStatic PE information: section name: GFIDS

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
BthA2dp.sys0%ReversingLabs
BthA2dp.sys0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1320194
Start date and time:2023-10-05 13:06:20 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:BthA2dp.sys
Detection:UNKNOWN
Classification:unknown1.winSYS@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • No process behavior to analyse as no analysis process or sample was found
  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):6.302485076495764
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:BthA2dp.sys
File size:280'064 bytes
MD5:2b008704767e827e81021743b2b6f336
SHA1:8c65fb4148e3017e9dd856d6e3ba56727eff8715
SHA256:30e37705524fa79d8c09e48665b349f0fcd9021b8244da1a16613cc8c2d58245
SHA512:facb140a2121284eadecdf68bd6f182c123f55033c27044e1e21a9238a3ea0bddaa147047173a6014f5a1ea7df647c6be50cbc74a8abd210ee733bd84e126059
SSDEEP:3072:lpXOxOjY/afLTMzPQ7d7WeNTtOyzYe41CMgu7Q2haaLs92rjRacYDnACOvs0QHA4:TMI1Iu7RTIuYnUMQ2haaQdes0vWg
TLSH:AD545A4E12BA5872FCBBC67E85B78116E2F13C210366E7DF259482789F03CD4A978B15
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\........................^...................................................Rich....................PE..d......6.........."

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1c001ab70
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1c0000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, WDM_DRIVER, GUARD_CF
Time Stamp:0x36A69CC9 [Thu Jan 21 03:19:37 1999 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:fa2c2b3f8a076630b2f56e184ac82ee6
Instruction
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007FDA68B08578h
dec eax
mov edx, ebx
dec eax
mov ecx, edi
call 00007FDA68ADEEE9h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 30h
xor ebp, ebp
dec eax
mov esi, edx
dec eax
mov edi, ecx
dec eax
test ecx, ecx
jne 00007FDA68ADEEDCh
call 00007FDA68AD8D2Ah
jmp 00007FDA68ADEF75h
dec eax
lea eax, dword ptr [0001C735h]
mov dword ptr [0001C71Bh], 02080000h
dec esp
lea esi, dword ptr [0001C714h]
dec eax
mov dword ptr [0001C715h], eax
dec ecx
mov ecx, esi
dec eax
call dword ptr [00020743h]
nop dword ptr [eax+eax+00h]
dec esp
lea ecx, dword ptr [0001C91Fh]
dec ecx
mov edx, esi
dec esp
lea eax, dword ptr [0001C525h]
dec eax
mov ecx, edi
dec eax
call dword ptr [00020443h]
nop dword ptr [eax+eax+00h]
test eax, eax
js 00007FDA68ADEF20h
call 00007FDA68ADEF76h
mov ebx, eax
test eax, eax
js 00007FDA68ADEF0Eh
call 00007FDA68ADF143h
mov ebx, eax
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3b4f00xb4.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x2a48.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x390000x1dc4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x490000x294.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x341600x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x313c00x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x4e0.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2edea0x2ee00False0.46951041666666665data6.357062975937825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x300000x6ed80x7000False0.38741629464285715data5.3176983446773844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x370000x19900x400False0.1630859375data1.6565173179171375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x390000x1dc40x1e00False0.5291666666666667data5.494910481716635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.idata0x3b0000x19220x1a00False0.3317307692307692data4.699329088655764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
NONPAGE0x3d0000xb00x200False0.060546875data0.27354613835361985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE0x3e0000x574b0x5800False0.5312056107954546data6.360260146051718IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
INIT0x440000x2560x400False0.51953125data4.437036250450268IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
GFIDS0x450000x36c0x400False0.5537109375data4.350022576219208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x460000x2a480x2c00False0.27769886363636365data3.6825507158095765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x490000x18700x1a00False0.7219050480769231Targa image data - Mono 40976 x 40984 x 32 +40960 +40968 - top - four way interleave5.823151560099651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x489600xe8dataEnglishUnited States0.5646551724137931
WEVT_TEMPLATE0x46c500x1d0adataEnglishUnited States0.2932472423997848
RT_MESSAGETABLE0x464f80x758dataEnglishUnited States0.31170212765957445
RT_VERSION0x461600x398OpenPGP Secret KeyEnglishUnited States0.4641304347826087
DLLImport
ntoskrnl.exeKeQueryInterruptTimePrecise, EtwActivityIdControl, ExCancelTimer, ExAllocateTimer, ExSetTimer, IoRegisterDeviceInterface, KeQuerySystemTimePrecise, IoSetDevicePropertyData, KeQueryUnbiasedInterruptTime, IoSetDeviceInterfacePropertyData, IoQueueWorkItemEx, EtwWriteTransfer, RtlRegisterFeatureConfigurationChangeNotification, IoCsqInsertIrp, IoCsqRemoveNextIrp, IoCsqInitialize, ZwOpenKey, RtlQueryFeatureConfiguration, DbgPrintEx, ZwClose, IoWMIRegistrationControl, ZwQueryValueKey, MmGetSystemRoutineAddress, RtlCopyUnicodeString, RtlInitUnicodeString, RtlAppendUnicodeToString, ExFreePool, IofCompleteRequest, IofCallDriver, KeCancelTimer, KeClearEvent, IoBuildDeviceIoControlRequest, KeInitializeTimer, IoInitializeRemoveLockEx, KeInitializeDpc, IoReleaseRemoveLockEx, IoAcquireRemoveLockEx, KeSetTimer, EtwSetInformation, KeWaitForSingleObject, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTag, IoFreeWorkItem, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, ObfDereferenceObject, IoFreeIrp, IoSetCompletionRoutineEx, IoAllocateIrp, IoReleaseRemoveLockAndWaitEx, IoCancelIrp, IoReleaseCancelSpinLock, KeQueryTimeIncrement, RtlFreeAnsiString, RtlFreeUnicodeString, RtlUnicodeStringToAnsiString, RtlInitAnsiString, KseQueryDeviceFlags, MmIsDriverVerifyingByAddress, RtlQueryRegistryValuesEx, DbgkWerCaptureLiveKernelDump, KeSetEvent, KeReleaseSpinLock, KeInitializeSpinLock, KeAcquireSpinLockRaiseToDpc, IoAllocateWorkItem, RtlQueryFeatureConfigurationChangeStamp, RtlUnregisterFeatureConfigurationChangeNotification, EtwUnregister, EtwRegister, RtlAnsiCharToUnicodeChar, KeResetEvent, memcmp
HAL.DLLKeQueryPerformanceCounter
ks.sysKsGetNodeIdFromIrp, KsGetObjectFromFileObject, KsGenerateEvent, KsDefaultAddEventHandler, KsGetPinFromIrp, KsAddEvent, KsInitializeDriver, KsStreamPointerUnlock, KsCompletePendingRequest, KsStreamPointerAdvance, KsPinAcquireProcessingMutex, KsStreamPointerGetNextClone, KsStreamPointerClone, KsPinReleaseProcessingMutex, KsReleaseControl, KsPinGetFirstCloneStreamPointer, KsPinGetLeadingEdgeStreamPointer, KsStreamPointerSetStatusCode, KsStreamPointerAdvanceOffsets, KsGetFilterFromIrp, KsGetDevice, KsAcquireControl, KsStreamPointerDelete, KsGetDeviceForDeviceObject, KsFilterFactoryGetSymbolicLink, KsFilterFactoryUpdateCacheData, KsGetNextSibling, KsFreeObjectCreateItemsByContext, KsFreeObjectBag, KsAllocateObjectBag, KsPinGetParentFilter, _KsEdit, KsGetFirstChild, KsPinAttemptProcessing, KsFilterFactorySetDeviceClassesState, KsAcquireDevice, KsGenerateEvents, KsCreateFilterFactory, KsReleaseDevice, KsGetParent
btampm.sysBtaMpmGetRemoteDeviceProfileVersionAndAttribute, BtaMpmUpdatePlayStatus, BtaMpmRegister, BtaMpmUnregister, BtaMpmUpdateSuspendStatus, BtaMpmUnregisterPnp, BtaMpmConnectionRequest, BtaMpmBuildIndirectStringFromMessageWithSingleUTF8Arg, BtaMpmRegisterPnp, BtaMpmUpdateConnectionStatus
WppRecorder.sysimp_WppRecorderReplay, WppAutoLogStart, WppAutoLogTrace, WppAutoLogStop
SleepStudyHelper.sysSleepstudyHelper_ComponentActive, SleepstudyHelper_UnregisterComponent, SleepstudyHelper_RegisterComponentEx, SleepstudyHelper_ComponentInactive, SleepstudyHelper_GenerateGuid, SleepstudyHelper_Uninitialize, SleepstudyHelper_Initialize, SleepstudyHelper_GetPdoFriendlyName
WDFLDR.SYSWdfVersionUnbind, WdfVersionBind, WdfVersionUnbindClass, WdfVersionBindClass
ksecdd.sysBCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptOpenAlgorithmProvider, BCryptGetProperty, BCryptHashData, BCryptDestroyHash, BCryptCreateHash

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly