Edit tour

Windows Analysis Report
iqvw64e.sys

Overview

General Information

Sample Name:	iqvw64e.sys
Analysis ID:	1306846
MD5:	69ba501a268f09f694ff0e8e208aa20e
SHA1:	3d6d53b0f1cc908b898610227b9f1b9352137aba
SHA256:	37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Sample file is different than original file name gathered from version info

Classification

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: iqvw64e.sys

Static PE information: certificate valid

Source:

Binary string: c:\sandbox\676297\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: iqvw64e.sys

Source: iqvw64e.sys	String found in binary or memory: http://OCSP.intel.com/0
Source: iqvw64e.sys	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: iqvw64e.sys	String found in binary or memory: http://crl.quovadisglobal.com/qvicag4.crl0
Source: iqvw64e.sys	String found in binary or memory: http://crl.quovadisglobal.com/qvrca.crl0
Source: iqvw64e.sys	String found in binary or memory: http://ocsp.comodoca.com05
Source: iqvw64e.sys	String found in binary or memory: http://ocsp.quovadisglobal.com05
Source: iqvw64e.sys	String found in binary or memory: http://ocsp.quovadisglobal.com07
Source: iqvw64e.sys	String found in binary or memory: http://pki.intel.com/crl/IntelCA7B.crl0f
Source: iqvw64e.sys	String found in binary or memory: http://pki.intel.com/crt/IntelCA7B.crt0
Source: iqvw64e.sys	String found in binary or memory: http://trust.quovadisglobal.com/qvicag4.crt0O
Source: iqvw64e.sys	String found in binary or memory: http://trust.quovadisglobal.com/qvrca.crt0
Source: iqvw64e.sys	String found in binary or memory: http://www.quovadisglobal.com/repository0

Source: iqvw64e.sys

Binary or memory string: OriginalFilenameiQVW64.SYSH vs iqvw64e.sys

Source: iqvw64e.sys

Binary string: \Device\Nal

Source: classification engine

Classification label: clean0.winSYS@0/0@0/0

Source: iqvw64e.sys

Static PE information: certificate valid

Source: iqvw64e.sys

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\sandbox\676297\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: iqvw64e.sys

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iqvw64e.sys	0%	ReversingLabs

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.quovadisglobal.com07	0%	Avira URL Cloud	safe
http://ocsp.quovadisglobal.com05	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://ocsp.quovadisglobal.com05	iqvw64e.sys	false	Avira URL Cloud: safe	unknown
http://crl.quovadisglobal.com/qvrca.crl0	iqvw64e.sys	false		high
http://trust.quovadisglobal.com/qvrca.crt0	iqvw64e.sys	false		high
http://pki.intel.com/crt/IntelCA7B.crt0	iqvw64e.sys	false		high
http://crl.quovadisglobal.com/qvicag4.crl0	iqvw64e.sys	false		high
http://ocsp.quovadisglobal.com07	iqvw64e.sys	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/repository0	iqvw64e.sys	false		high
http://OCSP.intel.com/0	iqvw64e.sys	false		high
http://pki.intel.com/crl/IntelCA7B.crl0f	iqvw64e.sys	false		high
http://trust.quovadisglobal.com/qvicag4.crt0O	iqvw64e.sys	false		high

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1306846
Start date and time:	2023-09-10 14:29:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	iqvw64e.sys
Detection:	CLEAN
Classification:	clean0.winSYS@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .sys Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Warnings

Exclude process from analysis (whitelisted): RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com
VT rate limit hit for: iqvw64e.sys

Joe Sandbox View / Context

Instruction
dec eax
mov eax, dword ptr [FFA31EB1h]
dec ecx
mov ecx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax-7Bh], cl
sal byte ptr [ebp+eax+49h], 0000003Bh
sal dword ptr [ebp+2Fh], 4Ch
lea eax, dword ptr [FFA31E96h]
dec eax
mov eax, 00000320h
xor bh, FFFFFFFFh
dec dword ptr [eax-75h]
add byte ptr [ecx+33h], cl
ror byte ptr [ecx-48h], FFFFFFFFh

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d532c	0x3c	INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d6000	0x3f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5d2000	0x678	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9800	0x4c98	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d7000	0x18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x220	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4945	0x4a00	False	0.4803103885135135	Matlab v4 mat-file (little endian) \3540H\213\331H\215, numeric, rows 0, columns 0	6.2308309265322155	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0xed0	0x1000	False	0.438720703125	OpenPGP Public Key	4.514530236593042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0x7000	0x5ca0a0	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5d2000	0x678	0x800	False	0.416015625	PEX Binary Archive	3.953688855838641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
PAGE	0x5d3000	0x1b71	0x1c00	False	0.5904017857142857	Matlab v4 mat-file (little endian) \201\354\210, numeric, rows 0, columns 0	6.068491758460737	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
INIT	0x5d5000	0xb4c	0xc00	False	0.513671875	Matlab v4 mat-file (little endian) \201\354\210, numeric, rows 0, columns 0	5.557559387174486	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d6000	0x3f8	0x400	False	0.4560546875	data	3.423043533828543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc	0x5d7000	0x60	0x200	False	0.07421875	data	0.3154425539007212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5d6060	0x394	OpenPGP Secret Key	English	United States	0.4759825327510917

DLL	Import
ntoskrnl.exe	IoCreateSymbolicLink, IofCompleteRequest, MmIsAddressValid, ExAllocatePoolWithTag, ExFreePoolWithTag, MmGetPhysicalAddress, DbgPrint, strncpy, vsprintf, IoFreeMdl, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, MmUnmapIoSpace, MmUnmapLockedPages, MmAllocateContiguousMemory, MmFreeContiguousMemory, MmMapIoSpace, RtlInitUnicodeString, KeWaitForSingleObject, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, ZwClose, RtlFreeAnsiString, strstr, RtlUnicodeStringToAnsiString, ZwEnumerateValueKey, ZwOpenKey, wcsncpy, IoGetDeviceObjectPointer, IoGetDeviceInterfaces, ObReferenceObjectByPointer, MmAllocateNonCachedMemory, MmFreeNonCachedMemory, KeBugCheckEx, IoDeleteSymbolicLink, ObfDereferenceObject, IoDeleteDevice, MmGetSystemRoutineAddress, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwCreateKey, ZwQueryValueKey, ZwSetValueKey, RtlFreeUnicodeString
HAL.dll	KeStallExecutionProcessor, KeQueryPerformanceCounter

IoCreateSymbolicLink, IofCompleteRequest, MmIsAddressValid, ExAllocatePoolWithTag, ExFreePoolWithTag, MmGetPhysicalAddress, DbgPrint, strncpy, vsprintf, IoFreeMdl, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, MmUnmapIoSpace, MmUnmapLockedPages, MmAllocateContiguousMemory, MmFreeContiguousMemory, MmMapIoSpace, RtlInitUnicodeString, KeWaitForSingleObject, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, ZwClose, RtlFreeAnsiString, strstr, RtlUnicodeStringToAnsiString, ZwEnumerateValueKey, ZwOpenKey, wcsncpy, IoGetDeviceObjectPointer, IoGetDeviceInterfaces, ObReferenceObjectByPointer, MmAllocateNonCachedMemory, MmFreeNonCachedMemory, KeBugCheckEx, IoDeleteSymbolicLink, ObfDereferenceObject, IoDeleteDevice, MmGetSystemRoutineAddress, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwCreateKey, ZwQueryValueKey, ZwSetValueKey, RtlFreeUnicodeString

HAL.dll

KeStallExecutionProcessor, KeQueryPerformanceCounter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

File type:	PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):	6.708883492157136
TrID:	Win64 Device Driver (generic) (12004/3) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	iqvw64e.sys
File size:	58'520 bytes
MD5:	69ba501a268f09f694ff0e8e208aa20e
SHA1:	3d6d53b0f1cc908b898610227b9f1b9352137aba
SHA256:	37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9
SHA512:	7f008b488ef08852734cadb5fa029d1bd8880bc48932b04ef77169a481c75281f3367781e2032dec4bae814d0471a47b1e7ffc92c4de22e485650e9b23abea2b
SSDEEP:	768:Vk+Hbvpb0ETH4VbN31IYJ4cTWC8K0EI2f2MbD5aCFxCVDOXCoPM4iI:VkyL2h+ShfbACFsaSoPM4i
TLSH:	3D434BC2826C6085D7A7D4B982F99A53DAF175581720D3CF3274C22E1A53BE8BA3C394
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.a....Q...Q...Q...QR..QfttQ...QftrQ...QftbQ...Q..QQ...QftwQ...QRich...Q................PE..d...Pq.[.........."......r....\....

Entrypoint:	0x5e5250
Entrypoint Section:	INIT
Digitally signed:	true
Imagebase:	0x10000
Subsystem:	native
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x5B9F7150 [Mon Sep 17 09:18:08 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	2cf48a541dc193e91bb2a831adcf278e

Signature Valid:	true
Signature Issuer:	CN=Intel External Issuing CA 7B, O=Intel Corporation, L=Santa Clara, S=CA, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/08/2018 23:34:08 08/08/2020 23:34:08
Subject Chain	CN=Intel(R) INTELND1820, OU=ND, O=Intel Corporation, L=Santa Clara, S=CA, C=US
Version:	3
Thumbprint MD5:	CDEDC1FB5C02178B5916669E1D287C85
Thumbprint SHA-1:	CFED925A397EBE3072F8C907B246E841258FB16C
Thumbprint SHA-256:	58A0E389CF0DB61E1DE1B318E77C0D6266EEF5AD12917E363512C5FBD09BC987
Serial:	560000077B478C76C9AFCAFCAF00000000077B


Icon Hash:	7ae282899bbab082

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iqvw64e.sys

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
iqvw64e.sys