Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

Mal/Generic-S

Dynamic Analysis Report

Created on 2022-04-10T07:51:00

Iru.sys

Windows Driver (x86-64)
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 minutes, 58 seconds" to "178.0 milliseconds" to reveal dormant functionality.

(0x0200000D): In the case of standalone driver analysis, the Verdict does not take into account kernel mode function calls.

Remarks

(0x0200005D): 2357 additional dumps with the reason "Content Changed" and a total of 6054 MB were skipped because the respective maximum limit was reached.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 3.68 MB
MD5 5d9226231d68632b2354bf0745e81f18 Copy to Clipboard
SHA1 21965297b48fb8244bc72bf9648ef1b3da1694df Copy to Clipboard
SHA256 809be97b5f4f9689795bb34b3d026d453399314ba57c4af7c9ae18e6d051a4b3 Copy to Clipboard
SSDeep 98304:gRS8hHaUdzHNkdjwQP84kD1uE1LS/X77Wi7KPmKg:g6qzHNkdjzPXkxu4uT7HV Copy to Clipboard
ImpHash cfdf16514a98edfc3b144bb905b09f55 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x140000000
Entry Point 0x140539369
Size Of Code 0x1e200
Size Of Initialized Data 0x28fe00
File Type FileType.executable
Subsystem Subsystem.native
Machine Type MachineType.amd64
Compile Timestamp 2022-03-28 07:44:45+00:00
Sections (9)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x1cef0 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.0
.rdata 0x14001e000 0x3afc 0x0 0x0 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 0.0
.data 0x140022000 0x28a2d8 0x0 0x0 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.pdata 0x1402ad000 0x1a40 0x0 0x0 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 0.0
PAGE 0x1402af000 0x1a3 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.0
INIT 0x1402b0000 0xf96 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.vmp0 0x1402b1000 0x16cbfd 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.0
.vmp1 0x14041e000 0x3ad824 0x3ada00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.83
.reloc 0x1407cc000 0xa8 0x200 0x3ade00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.59
Imports (5)
»
ntoskrnl.exe (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IofCallDriver - 0x14064e000 0x53e930 0x120d30 0x0
TDI.SYS (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TdiMapUserRequest - 0x14064e010 0x53e940 0x120d40 0x0
FLTMGR.SYS (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FltParseFileNameInformation - 0x14064e020 0x53e950 0x120d50 0x0
ntoskrnl.exe (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExAllocatePool - 0x14064e030 0x53e960 0x120d60 0x0
NtQuerySystemInformation - 0x14064e038 0x53e968 0x120d68 0x0
ExFreePoolWithTag - 0x14064e040 0x53e970 0x120d70 0x0
IoAllocateMdl - 0x14064e048 0x53e978 0x120d78 0x0
MmProbeAndLockPages - 0x14064e050 0x53e980 0x120d80 0x0
MmMapLockedPagesSpecifyCache - 0x14064e058 0x53e988 0x120d88 0x0
MmUnlockPages - 0x14064e060 0x53e990 0x120d90 0x0
IoFreeMdl - 0x14064e068 0x53e998 0x120d98 0x0
KeQueryActiveProcessors - 0x14064e070 0x53e9a0 0x120da0 0x0
KeSetSystemAffinityThread - 0x14064e078 0x53e9a8 0x120da8 0x0
KeRevertToUserAffinityThread - 0x14064e080 0x53e9b0 0x120db0 0x0
DbgPrint - 0x14064e088 0x53e9b8 0x120db8 0x0
HAL.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
KeQueryPerformanceCounter - 0x14064e098 0x53e9c8 0x120dc8 0x0
Digital Signature Information
»
Verification Status Valid
Certificate: INTSI LTD
»
Issued by INTSI LTD
Parent Certificate thawte SHA256 Code Signing CA
Country Name GB
Valid From 2020-04-20 02:00 (UTC+2)
Valid Until 2021-07-21 01:59 (UTC+2)
Algorithm sha256_rsa
Serial Number 2F 7C 35 C7 28 EE 56 4C 0F F9 F0 D2 02 CB 66 29
Thumbprint D7 21 0A CB 7A 8C DC B6 10 D3 48 8B F9 8A FE 70 08 B6 17 62
Certificate: thawte SHA256 Code Signing CA
»
Issued by thawte SHA256 Code Signing CA
Parent Certificate thawte Primary Root CA
Country Name US
Valid From 2013-12-10 01:00 (UTC+1)
Valid Until 2023-12-10 00:59 (UTC+1)
Algorithm sha256_rsa
Serial Number 71 A0 B7 36 95 DD B1 AF C2 3B 2B 9A 18 EE 54 CB
Thumbprint D0 0C FD BF 46 C9 8A 83 8B C1 0D C4 E0 97 AE 01 52 C4 61 BC
Certificate: thawte Primary Root CA
»
Issued by thawte Primary Root CA
Country Name US
Valid From 2011-02-22 20:31 (UTC+1)
Valid Until 2021-02-22 20:41 (UTC+1)
Algorithm sha1_rsa
Serial Number 61 1F B0 A4 00 00 00 00 00 1D
Thumbprint 55 38 E9 FE C1 40 30 B7 40 15 23 49 E1 15 A1 16 5D 29 07 4A
c:\windows\system32\sru\sru.chk Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 2e323d8881c6215b4b44fe29332bdcfc Copy to Clipboard
SHA1 4bc4c30842f5fcee28511b1556bbc07beabb9887 Copy to Clipboard
SHA256 ccb302286bc06028d9457f9f15e9f4cb923fc794c77c545ff5da1eeae076117c Copy to Clipboard
SSDeep 6:C2eh9hdQmA33zZ28PJrn+SkSJkJu9G2eh9hdQmA33zZ28PJrn+SkSJkJu9:Cl/vQr33Iq+fuUl/vQr33Iq+fu Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\comms\unistoredb\uss.chk Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 f8cd470b5720d1157bc4676f7be34f3a Copy to Clipboard
SHA1 c72ba69b346144961b8b460772087e8244d69110 Copy to Clipboard
SHA256 2cf778a3769939c06fba48b876ec856b690f55b0da9ad531f2616868e6df19e0 Copy to Clipboard
SSDeep 24:Xvo3Dc3DkgLI9//ACkeDf0vo3Dc3DkgLI9//ACkeDf:Xg3Dc3DlKACkKf0g3Dc3DlKACkKf Copy to Clipboard
ImpHash -
C:\Windows\TEMP\DiagTrack_ate/SSL/cert.db Dropped File Unknown
clean
...
  • Actions
»
MIME Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\webcache\webcachev01.dat Dropped File Unknown
clean
...
»
MIME Type application/x-ms-ese
File Size 10.00 MB
MD5 1818f541083027aeeb79e8b92142a941 Copy to Clipboard
SHA1 a604ccaf416b5a58a5ff404af4e72ffc551c3177 Copy to Clipboard
SHA256 d5865656c0c164bf4a56c7726b3591976baa94d85d26d712a48c04fd17e3f9ec Copy to Clipboard
SSDeep 6144:wD3RhLMYqCojW757h57mAZA/j9Ppblr72Sfr1ludU0GDO:2Uplb72VKD Copy to Clipboard
ImpHash -
c:\windows\system32\sru\srudb.dat Dropped File Unknown
clean
...
»
MIME Type application/x-ms-ese
File Size 960.00 KB
MD5 ab5b882f8ba6b672ff2d322872c2583b Copy to Clipboard
SHA1 1b11a3461c29e7bad7af9a67c0b75f8f28571ad5 Copy to Clipboard
SHA256 1cefdf3b6547fc4ddccebc1fb70c4a4a198a750ba204503e530c6c41586255f6 Copy to Clipboard
SSDeep 3072:O6OlJGc6JJ0RRdnCPnC6F27ZPv6BIrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr0:RezQMjq3N Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\system.evtx Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.07 MB
MD5 4bedd1a32254632c4857a0637effd66c Copy to Clipboard
SHA1 f1ca4c8a5b1c3c46ab3e9491a2c8334dfdddb03c Copy to Clipboard
SHA256 43f602f94727545f23572c466cc878189dede3c96877d096080f96c8448c48c4 Copy to Clipboard
SSDeep 1536:dGSM4AN05NTA4Odx0TfhALdp8PFkGMH7bfl1QW3uVfKpePhum+eh5OZLfWl+tEvW:QNIBteP+RKpairEv3IE Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\comms\unistoredb\uss.log Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 3.00 MB
MD5 44c41868dc99355b6514f2f7531ef9f8 Copy to Clipboard
SHA1 41a1a65de10585a60a76580001c38df060d0610c Copy to Clipboard
SHA256 4e23126fa9780309af6efd04c551fc12e8231d1a37e4dd02710bb665c20e1762 Copy to Clipboard
SSDeep 6144:ZfhPzVK+52QBUVCW66rbDjn4GLcfzO6DOshruxdnIy95VEmbVBwKtd2zEFVTZgSG:nPbkc9VroRfIUi Copy to Clipboard
ImpHash -
C:\Windows\System32\spp\store\2.0\data.dat.tmp Dropped File Stream
clean
...
»
Also Known As C:\Windows\System32\spp\store\2.0\data.dat.bak (Dropped File)
C:\Windows\System32\spp\store\2.0\data.dat (Dropped File)
MIME Type application/octet-stream
File Size 20.89 KB
MD5 9263301684327315713b7bb010ff5eb5 Copy to Clipboard
SHA1 238f17db53d5c22a3ad9a77cc6036478bc4efd26 Copy to Clipboard
SHA256 31e9e35e69a5b6ac384f3062be2c9db644946165adff70499bead556b87c0845 Copy to Clipboard
SSDeep 384:W9vyr7pcTmM4iO25obV/DK8y4FgrkS4D8nJP1COXvor0roJaRqoxrFT/HU0iS:W9vQpQmM7XAVkF4gR0OQr4okqof/z1 Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-audio%4playbackmanager.evtx Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 662b0781c314d06fbff4b736780352d0 Copy to Clipboard
SHA1 f4d7c85b3234b04bb33c5b874beec7ae581b180e Copy to Clipboard
SHA256 e451382156ac1702832a35e1d332363f97765328786b6a0b63336a66166e90e3 Copy to Clipboard
SSDeep 384:68htpE2pIsJv3p3QpR2pJpHpxpppcp5p+pxdp8pzpDpvpgpipJptplp7p0pVp4pJ:68qCv1QSt Copy to Clipboard
ImpHash -
c:\windows\softwaredistribution\datastore\logs\edb.log Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.25 MB
MD5 f289409fd484a86e8a0f02d8f6d4d1ec Copy to Clipboard
SHA1 6c4010f4c115af83f6f4f7ed40051e3142fae469 Copy to Clipboard
SHA256 35c9fcf4d6535fc9509e530210d97a4b239c7d7761a44bcdde0e20ac50e48a62 Copy to Clipboard
SSDeep 48:BGeuAKWu+7u5r+71IG2Qxu+7EOZzZr+7RkWgW:TuAKJRfG2Qoj4zFJWgW Copy to Clipboard
ImpHash -
c:\windows\softwaredistribution\datastore\datastore.edb Dropped File Unknown
clean
...
»
MIME Type application/x-ms-ese
File Size 10.00 MB
MD5 960437e22f8c8ea8a675a01c81e49cc9 Copy to Clipboard
SHA1 efc584b2d9d0dcd4ec41f6a8e48f93b3c9961eb1 Copy to Clipboard
SHA256 251a686044d9099831f86fe5a381e2945246f76c9e74d28b2d5b7088f3c7e48a Copy to Clipboard
SSDeep 49152:I24tsh4CRitH1CyHrIq4BXEcpd87wvuNrlFpnzVe7xpz6HiXASW4u3BlTcvDQL1Y:I24ts9xQccCFhd5q+P9 Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 60b7dda8b13170d46ad8b2e0fc61dc44 Copy to Clipboard
SHA1 dceabcb25ab208cf676bb824911ef7cc464dd08c Copy to Clipboard
SHA256 2e3425cda336aada8e9e9382022cf462d0fe0db6883873e297aebbf342b1dbfa Copy to Clipboard
SSDeep 384:Th6jjjXj2jajfjhjCjFjDjzjYjfj6majhjpjijJjK:Tp Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-bits-client%4operational.evtx Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 5a8c541979e1e270d03ab8e5b6cfebee Copy to Clipboard
SHA1 8f4dd0687f8cd5e7967a758e3133d4606d0e7db7 Copy to Clipboard
SHA256 80c525a7cb3d31b61215a6e124b62c5099e4e561e3e0f74f59c5244e0918ddee Copy to Clipboard
SSDeep 1536:N2j2y2AVTcf20DlhaRsatBGFBV/AbJ3aqaM1KsOBWfr:NgJ2AVM20cBGFWFzzOBWf Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\comms\unistoredb\store.vol Dropped File Unknown
clean
...
»
MIME Type application/x-ms-ese
File Size 6.00 MB
MD5 41676c311d0e559da4ba608ac93828b4 Copy to Clipboard
SHA1 19dcd078a2faa62ded4394b19aa6299bfd77f3a7 Copy to Clipboard
SHA256 e63500491fe9eb8fda323b1dc3ba21a1910175674eb9eae8c03dcb27bc83d3ba Copy to Clipboard
SSDeep 6144:NFE6cfuKK4O0BPyCBPoutq+f58GRMv1R:NF9KK07qt Copy to Clipboard
ImpHash -
c:\windows\system32\sru\sru.chk Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 b5fca18af579bfef50cdc54cad04b5ac Copy to Clipboard
SHA1 ef8edd37ed251b764c93da173d794e538312c620 Copy to Clipboard
SHA256 f6c81da455e524b8275ba656db611ebea4f97c311118243314c83bf17a332a0c Copy to Clipboard
SSDeep 6:CIeeh9hdQmAXazZ28PJrn+SkSJkJu9GIeeh9hdQmAXazZ28PJrn+SkSJkJu9:CC/vQrKIq+fuUC/vQrKIq+fu Copy to Clipboard
ImpHash -
c:\windows\system32\sru\srudb.dat Dropped File Unknown
clean
...
»
MIME Type application/x-ms-ese
File Size 960.00 KB
MD5 35686fef210220d2cd3bd367ff2da637 Copy to Clipboard
SHA1 9c1452d362bab17565104628838627c3f1f1f52a Copy to Clipboard
SHA256 17fefea88d02bf6ae790d62f81699d51e868a754bc6af3f7b8bb28738efb7371 Copy to Clipboard
SSDeep 3072:26OlJGc6JJ0RRdnCPnC6F27ZPv6BIrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr0:ZezQMjq3N Copy to Clipboard
ImpHash -
c:\windows\system32\sru\sru.chk Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 7d5bf5b9f1766fc3f53db2bfcdbc084e Copy to Clipboard
SHA1 c225876b2912163fdea16099e397167f2bd503e4 Copy to Clipboard
SHA256 dbb0b1587fe9767391d77958a6589f8405b6b2ef625b0fd3af412baaa870b8c4 Copy to Clipboard
SSDeep 6:Cheh9hdQmAy28PJrn+SkSJkJu9Gheh9hdQmAy28PJrn+SkSJkJu9:C0/vQrLq+fuU0/vQrLq+fu Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image