Windows
Analysis Report
iqvw64e.sys
Overview
General Information
Sample Name: | iqvw64e.sys |
Analysis ID: | 1306846 |
MD5: | 69ba501a268f09f694ff0e8e208aa20e |
SHA1: | 3d6d53b0f1cc908b898610227b9f1b9352137aba |
SHA256: | 37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9 |
Errors
|
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | true |
Confidence: | 100% |
Signatures
Classification
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Binary string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high |
Joe Sandbox Version: | 38.0.0 Beryl |
Analysis ID: | 1306846 |
Start date and time: | 2023-09-10 14:29:40 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 3m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | iqvw64e.sys |
Detection: | CLEAN |
Classification: | clean0.winSYS@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: unsuccessful
- Exclude process from analysis (whitelisted): RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): spclient.wg.spotify.com
- VT rate limit hit for: iqvw64e.sys
File type: | |
Entropy (8bit): | 6.708883492157136 |
TrID: |
|
File name: | iqvw64e.sys |
File size: | 58'520 bytes |
MD5: | 69ba501a268f09f694ff0e8e208aa20e |
SHA1: | 3d6d53b0f1cc908b898610227b9f1b9352137aba |
SHA256: | 37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9 |
SHA512: | 7f008b488ef08852734cadb5fa029d1bd8880bc48932b04ef77169a481c75281f3367781e2032dec4bae814d0471a47b1e7ffc92c4de22e485650e9b23abea2b |
SSDEEP: | 768:Vk+Hbvpb0ETH4VbN31IYJ4cTWC8K0EI2f2MbD5aCFxCVDOXCoPM4iI:VkyL2h+ShfbACFsaSoPM4i |
TLSH: | 3D434BC2826C6085D7A7D4B982F99A53DAF175581720D3CF3274C22E1A53BE8BA3C394 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.a....Q...Q...Q...QR..QfttQ...QftrQ...QftbQ...Q..QQ...QftwQ...QRich...Q................PE..d...Pq.[.........."......r....\.... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x5e5250 |
Entrypoint Section: | INIT |
Digitally signed: | true |
Imagebase: | 0x10000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | |
Time Stamp: | 0x5B9F7150 [Mon Sep 17 09:18:08 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 2 |
File Version Major: | 5 |
File Version Minor: | 2 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 2 |
Import Hash: | 2cf48a541dc193e91bb2a831adcf278e |
Signature Valid: | true |
Signature Issuer: | CN=Intel External Issuing CA 7B, O=Intel Corporation, L=Santa Clara, S=CA, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | CDEDC1FB5C02178B5916669E1D287C85 |
Thumbprint SHA-1: | CFED925A397EBE3072F8C907B246E841258FB16C |
Thumbprint SHA-256: | 58A0E389CF0DB61E1DE1B318E77C0D6266EEF5AD12917E363512C5FBD09BC987 |
Serial: | 560000077B478C76C9AFCAFCAF00000000077B |
Instruction |
---|
dec eax |
mov eax, dword ptr [FFA31EB1h] |
dec ecx |
mov ecx, 2DDFA232h |
cdq |
sub eax, dword ptr [eax] |
add byte ptr [eax-7Bh], cl |
sal byte ptr [ebp+eax+49h], 0000003Bh |
sal dword ptr [ebp+2Fh], 4Ch |
lea eax, dword ptr [FFA31E96h] |
dec eax |
mov eax, 00000320h |
xor bh, FFFFFFFFh |
dec dword ptr [eax-75h] |
add byte ptr [ecx+33h], cl |
ror byte ptr [ecx-48h], FFFFFFFFh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5d532c | 0x3c | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d6000 | 0x3f8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5d2000 | 0x678 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x9800 | 0x4c98 | .data |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5d7000 | 0x18 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6220 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x220 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4945 | 0x4a00 | False | 0.4803103885135135 | Matlab v4 mat-file (little endian) \3540H\213\331H\215, numeric, rows 0, columns 0 | 6.2308309265322155 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x6000 | 0xed0 | 0x1000 | False | 0.438720703125 | OpenPGP Public Key | 4.514530236593042 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
.data | 0x7000 | 0x5ca0a0 | 0x400 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x5d2000 | 0x678 | 0x800 | False | 0.416015625 | PEX Binary Archive | 3.953688855838641 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
PAGE | 0x5d3000 | 0x1b71 | 0x1c00 | False | 0.5904017857142857 | Matlab v4 mat-file (little endian) \201\354\210, numeric, rows 0, columns 0 | 6.068491758460737 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
INIT | 0x5d5000 | 0xb4c | 0xc00 | False | 0.513671875 | Matlab v4 mat-file (little endian) \201\354\210, numeric, rows 0, columns 0 | 5.557559387174486 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x5d6000 | 0x3f8 | 0x400 | False | 0.4560546875 | data | 3.423043533828543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.reloc | 0x5d7000 | 0x60 | 0x200 | False | 0.07421875 | data | 0.3154425539007212 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x5d6060 | 0x394 | OpenPGP Secret Key | English | United States | 0.4759825327510917 |
DLL | Import |
---|---|
ntoskrnl.exe | IoCreateSymbolicLink, IofCompleteRequest, MmIsAddressValid, ExAllocatePoolWithTag, ExFreePoolWithTag, MmGetPhysicalAddress, DbgPrint, strncpy, vsprintf, IoFreeMdl, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, MmUnmapIoSpace, MmUnmapLockedPages, MmAllocateContiguousMemory, MmFreeContiguousMemory, MmMapIoSpace, RtlInitUnicodeString, KeWaitForSingleObject, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, ZwClose, RtlFreeAnsiString, strstr, RtlUnicodeStringToAnsiString, ZwEnumerateValueKey, ZwOpenKey, wcsncpy, IoGetDeviceObjectPointer, IoGetDeviceInterfaces, ObReferenceObjectByPointer, MmAllocateNonCachedMemory, MmFreeNonCachedMemory, KeBugCheckEx, IoDeleteSymbolicLink, ObfDereferenceObject, IoDeleteDevice, MmGetSystemRoutineAddress, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwCreateKey, ZwQueryValueKey, ZwSetValueKey, RtlFreeUnicodeString |
HAL.dll | KeStallExecutionProcessor, KeQueryPerformanceCounter |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |