Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
MpKslDrv.sys

Overview

General Information

Sample name:MpKslDrv.sys
Analysis ID:1539453
MD5:5af325bda4568a1a07fee2195a80a188
SHA1:b235430bf74063ce512a3f2c95013f624dcabece
SHA256:3de271e51e33baf258096d572f1ffebf8714af26dbe18b3b4fa98c369c8ed6e1
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer. Details: object name not found

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • MpKslDrv.sys (PID: 4 cmdline: MD5: 5AF325BDA4568A1A07FEE2195A80A188)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\MpKslDrv.sys, NewProcessName: C:\Users\user\Desktop\MpKslDrv.sys, OriginalFileName: C:\Users\user\Desktop\MpKslDrv.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: MpKslDrv.sys

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: MpKslDrv.sysStatic PE information: certificate valid
Source: MpKslDrv.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: Binary string: KSLD.pdb source: MpKslDrv.sys
Source: Binary string: KSLD.pdbGCTL source: MpKslDrv.sys
Source: MpKslDrv.sysStatic PE information: Number of sections : 12 > 10
Source: MpKslDrv.sysBinary or memory string: OriginalFilenameKSLD.sysZ vs MpKslDrv.sys
Source: unknownDriver loaded: C:\Users\user\Desktop\MpKslDrv.sys
Source: MpKslDrv.sysBinary string: MmCopyMemory\device\physicalmemoryeaxebxecxedxebpesiediespcsdsesfsgssscr0cr2cr3cr4gdtridtrldtrtrdeviceeflagspcountsysentrdebugramsize
Source: MpKslDrv.sysBinary string: \Device\
Source: MpKslDrv.sysBinary string: ExAllocatePool2PsSetCreateProcessNotifyRoutineExPsSetCreateThreadNotifyRoutinePsRemoveCreateThreadNotifyRoutinePsSetCreateThreadNotifyRoutineExPsSetLoadImageNotifyRoutinePsRemoveLoadImageNotifyRoutineAllocateMemoryFreeMemoryMmGetSystemAddressForMdlSafeExInitializeFastMutexSecureCopyMemoryRtlSecureZeroMemoryOsKeQueryTickCountKeAddTriageDumpDataBlockKeInitializeTriageDumpDataArrayKeRegisterBugCheckReasonCallbackKeDeregisterBugCheckReasonCallbackNULLtdt_driver_lib::init::<lambda_3e47ee2fe7a00d7756a7570045ff0aef>::operator ()IntelTDT\Device\tdt_driver_lib::deinit::<lambda_59245e7a8c50081ce16778cbffee7c1f>::operator ()tdt_driver_lib::create::<lambda_f3bbbed9ea470b55538e32f4c454438d>::operator ()tdt_driver_lib::destroy::<lambda_e8f44c811acb92ebebb571628ac2f24d>::operator ()
Source: classification engineClassification label: unknown2.winSYS@0/0@0/0
Source: MpKslDrv.sysStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: MpKslDrv.sysStatic PE information: Image base 0x1c0000000 > 0x60000000
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MpKslDrv.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: MpKslDrv.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: KSLD.pdb source: MpKslDrv.sys
Source: Binary string: KSLD.pdbGCTL source: MpKslDrv.sys
Source: MpKslDrv.sysStatic PE information: section name: awesome
Source: MpKslDrv.sysStatic PE information: section name: fothk
Source: MpKslDrv.sysStatic PE information: section name: GFIDS

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
LSASS Driver		1
LSASS Driver		Direct Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1539453 Sample: MpKslDrv.sys Startdate: 22/10/2024 Architecture: WINDOWS Score: 2 4 MpKslDrv.sys 2->4         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MpKslDrv.sys0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1539453
Start date and time:2024-10-22 17:50:03 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:1
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:MpKslDrv.sys
Detection:UNKNOWN
Classification:unknown2.winSYS@0/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • Unable to launch sample, stop analysis
  • Corrupt sample or wrongly selected analyzer. Details: object name not found
  • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
  • VT rate limit hit for: MpKslDrv.sys

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):6.355528043732646
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:MpKslDrv.sys
File size:267'552 bytes
MD5:5af325bda4568a1a07fee2195a80a188
SHA1:b235430bf74063ce512a3f2c95013f624dcabece
SHA256:3de271e51e33baf258096d572f1ffebf8714af26dbe18b3b4fa98c369c8ed6e1
SHA512:0b310e9006954312fad190936bbb9de8087bfe3d4b1c7d14e74f162ab74d5ddabe8680e5c957cab4d958b4e6e6c1f70853859a6b7c182284d6e5c176faad4e88
SSDEEP:6144:rVI2G1F5fcbxfVhpQoflvsuaCmGckx+3cI6N9nQWUjtLOfp:rVfG1F51SvbIkxdlnQWUjg
TLSH:B7444C5AA2E42CB4E473D27A8E824116DBB27C452B72A6CF217085159F13BF9F63433D
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.qp.|.#.|.#.|.#.|.#U|.#U..".|.#.|.#.|.#U..".|.#U..".|.#...".|.#..."Q|.#...#.|.#...".|.#Rich.|.#........................PE..d..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1c000a9f0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x1c0000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Time Stamp:0x3B7868C2 [Mon Aug 13 23:54:42 2001 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:47c2c1fecaaa006a163303dc25367b58

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 16/11/2023 20:20:09 14/11/2024 20:20:09
Subject Chain
  • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:9B7554FFA2D97FE692CB10D7B2E315A7
Thumbprint SHA-1:D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
Thumbprint SHA-256:2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
Serial:3300000460CF42A912315F6FB3000000000460
Instruction
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007F54814D0EF0h
dec eax
mov edx, ebx
dec eax
mov ecx, edi
call 00007F548149B901h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 50h
xor ebp, ebp
dec eax
mov esi, edx
dec eax
mov edi, ecx
dec eax
test ecx, ecx
jne 00007F548149B8FCh
call 00007F54814D0EDEh
jmp 00007F548149BA00h
dec eax
lea eax, dword ptr [0002F7EDh]
mov dword ptr [0002F713h], 02080000h
dec esp
lea esi, dword ptr [0002F70Ch]
dec eax
mov dword ptr [0002F70Dh], eax
dec ecx
mov ecx, esi
dec eax
call dword ptr [00033753h]
nop dword ptr [eax+eax+00h]
dec esp
lea ecx, dword ptr [0002F7B7h]
dec ecx
mov edx, esi
dec esp
lea eax, dword ptr [0002F585h]
dec eax
mov ecx, edi
dec eax
call dword ptr [0003356Bh]
nop dword ptr [eax+eax+00h]
test eax, eax
js 00007F548149B9ABh
call 00007F548149BA1Eh
mov ebx, eax
test eax, eax
js 00007F548149B995h
call 00007F548149BB93h
mov ebx, eax
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3e2b80x50.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x3e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3c0000x1f20.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x3f0000x2520
IMAGE_DIRECTORY_ENTRY_BASERELOC0x430000x3b8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x37f900x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31e300x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3e0000x288.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2de440x2e000e9bf49a099c1175cbe60f872da8c4319False0.4811958644701087data6.286647718676233IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
awesome0x2f0000x90x400c363904fe9d58db8248ba67ac8c51579False0.0244140625data0.09660842553356772IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
fothk0x300000x10000x100073f047e06c58a0b23ead648bad5687f8False0.008544921875ISO-8859 text, with very long lines (4096), with no line terminators0.015431902015625621IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x310000x899c0x8c00b2eaaa01da0f9fec460bda8ddf106b20False0.3313616071428571data5.213858006560692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x3a0000x10900x40038c8248f04ecb16e9fff1050dd493fddFalse0.0712890625data0.4360050457734771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x3c0000x1f200x20008c72051d6ab291f7367c74d1c3dae828False0.4813232421875data5.2443282459052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.idata0x3e0000xc660x10002bfa27e7dd8206d326c7b085b3a2ebf4False0.303955078125data4.0523990684818605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
PAGE0x3f0000x5540x8001c01050371be6e7eca52c6419cc62286False0.48779296875zlib compressed data4.707595225290509IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
INIT0x400000xa350xc00002f0afe6d60e33519e23d53a448e625False0.5218098958333334data5.529926022013773IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
GFIDS0x410000x49c0x800a722d224b81325e3e66906ff21fde1a3False0.33251953125data3.0768628896620207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x420000x3e00x400897df342734287bf708c13be072ca39aFalse0.443359375data3.346534142921545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc0x430000x15840x1800df3a9b87c1d7e28f90531c5ec422d204False0.7501627604166666data6.201021371040608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x420600x37cdataEnglishUnited States0.4674887892376682
DLLImport
ntoskrnl.exeZwClose, ZwOpenProcess, KeInsertQueueDpc, ZwQuerySystemInformation, ZwOpenSection, ZwUnmapViewOfSection, KeGetCurrentIrql, KeInitializeDpc, KeStackAttachProcess, KeInitializeSemaphore, ZwMapViewOfSection, KeLowerIrql, KeReleaseSemaphore, KeSetTargetProcessorDpc, KeQueryActiveProcessors, KfRaiseIrql, KeWaitForSingleObject, KeUnstackDetachProcess, ZwFsControlFile, ObReferenceObjectByHandle, ZwReadFile, RtlAppendUnicodeToString, IoFreeIrp, IoGetRelatedDeviceObject, MmBuildMdlForNonPagedPool, IoAllocateMdl, RtlQueryRegistryValues, IoBuildAsynchronousFsdRequest, RtlPrefixUnicodeString, ZwDeleteFile, KeSetEvent, IoFreeMdl, IoCreateFileSpecifyDeviceObjectHint, IofCallDriver, KeInitializeEvent, ZwQueryInformationFile, __C_specific_handler, MmMapIoSpace, MmUnmapIoSpace, _purecall, PsGetCurrentProcessId, PsProcessType, ObfDereferenceObject, RtlAppendUnicodeStringToString, RtlCompareUnicodeString, DbgPrintEx, RtlCopyUnicodeString, ExAllocatePoolWithTag, RtlEqualUnicodeString, ZwDeleteKey, ZwQueryValueKey, ZwOpenKey, ExDeleteResourceLite, KeEnterCriticalRegion, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, ExInitializeResourceLite, KeLeaveCriticalRegion, ZwQueryInformationProcess, MmMapLockedPagesSpecifyCache, MmIsAddressValid, HalDispatchTable, RtlFreeUnicodeString, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlGetVersion, RtlInitUnicodeString, IoFileObjectType, ExFreePoolWithTag
WppRecorder.sysWppAutoLogTrace, WppAutoLogStart, imp_WppRecorderGetTriageInfo, WppAutoLogStop
WDFLDR.SYSWdfVersionBind, WdfLdrQueryInterface, WdfVersionUnbind, WdfVersionUnbindClass, WdfVersionBindClass

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

012345s020406080100

Click to jump to process

Memory Usage

012345sMB

Click to jump to process

System Behavior

General

Target ID:0
Start time:11:50:55
Start date:22/10/2024
Path:C:\Users\user\Desktop\MpKslDrv.sys
Wow64 process (32bit):false
Commandline:
Imagebase:0x7ff7b4ee0000
File size:267'552 bytes
MD5 hash:5AF325BDA4568A1A07FEE2195A80A188
Has elevated privileges:
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

No disassembly