0f64bf7a-2ef2-45ea-af7d-4e7c87d98777

psmounterex.sys :inline :inline

Description

Northwave Cyber Security contributed this driver based on in-house research. The driver has a CVSSv3 score of 8.8, indicating a privelege escalation impact. This vulnerability could potentially be exploited for privilege escalation or other malicious activities.

  • UUID: 0f64bf7a-2ef2-45ea-af7d-4e7c87d98777
  • Created: 2024-09-11
  • Author: Northwave Cyber Security
  • Acknowledgement: Northwave Cyber Security |

DownloadBlock

Commands

sc.exe create psmounterex binPath=C:\windows\temp\psmounterex.sys type=kernel && sc.exe start psmounterex
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://northwave-cybersecurity.com/exploiting-enterprise-backup-software-for-privilege-escalation-part-one

  • Known Vulnerable Samples

    PropertyValue
    Filenamepsmounterex.sys
    Creation Timestamp2019-02-15 04:20:49
    MD52a9cf32ba325f394ae1cfb1e70f38b6e
    SHA1f4d3743b764d2b781c19ce1645965f3eb61b2ad1
    SHA2564e99d454a56845bb0e622cfd68b895b7868ef7e8a43424e5b7b803f5a2d25eca
    Authentihash MD578f367a992e85d134e864abb6dbdfbc2
    Authentihash SHA19e80ef26b432c64950e6f465f5469307d0b71359
    Authentihash SHA25692f9341304bfb77158d29397d1b9695dee0d001ab5f119a8b49f49fa15e0cd98
    RichPEHeaderHash MD59f91f079886d3e0f54969f352ccd3d8c
    RichPEHeaderHash SHA198f83fe0cd432776a0319728071ca3b041fde6c5
    RichPEHeaderHash SHA256a998b6e8926459a24bc355cad2d9333b832cd38f0d6a0d24ffaecf1169aca912
    CompanyWindows (R) Win 7 DDK provider
    DescriptionParamount Software Image Mounting Driver
    ProductPSMounterEx
    OriginalFilenamepsmounterex.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 47c30ffefc22bb280f96fea75251
    FieldValue
    ToBeSigned (TBS) MD5729cf4baceff4ef7aa199ad4f4ebed3d
    ToBeSigned (TBS) SHA1f478f0e790d5c8ec6056a3ab2567404a991d2837
    ToBeSigned (TBS) SHA256c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3
    ValidFrom2016-03-16 00:00:00
    ValidTo2024-03-16 00:00:00
    Signature3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47c30ffefc22bb280f96fea75251
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 7c4ba269a79bfcba77f289aa
    FieldValue
    ToBeSigned (TBS) MD5c793e7fd0c44bceb7ad426be86040011
    ToBeSigned (TBS) SHA1d801cf6f287f318e5f7a0ab5cd8906ddd8fae251
    ToBeSigned (TBS) SHA256a9c88e683450713b03ff083447909e1de401529408f51df6deb0ffb56d032aeb
    SubjectC=GB, ST=Greater Manchester, L=Manchester, O=Paramount Software UK Ltd, CN=Paramount Software UK Ltd
    ValidFrom2017-02-16 09:47:48
    ValidTo2020-03-24 14:06:23
    Signature316bfbf40acac7ca3740421599ce15352c4a4fcf111376eb9daab6a7799a0cf15abd84039561f30ec15ce6fbcfade6d441670f0ac46e46e8de3d80ba922484a460d18aa9a4a9cf554821359e49c60f218581429c87b0572fd15fc977fce01330c40e12e9d5df52e155b139cbcd73b9d5e140026f11dbe6f07b0d57d8bb89d0ea9a3bdc0b4b0a1485048e2b1ee94220d2c9e23cdf4d0eb61292bf33e5ed8b6329679f9484a6b0c7a8064964c9ca22a79cced0ea9eba71346606cf73f694bff915fdffc2e68777656d824db607914568ad8615ddf65e988a4b67a6f4eeb2b97987586257a8e6d96b29d50e7c0b40bf4649ae1bd0d71a5c33014076572a4c00e352
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber7c4ba269a79bfcba77f289aa
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • DbgPrint
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ZwCreateFile
    • ZwWriteFile
    • ZwClose
    • KdDebuggerEnabled
    • RtlInitAnsiString
    • RtlWriteRegistryValue
    • RtlCreateRegistryKey
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • IoAllocateErrorLogEntry
    • IoWriteErrorLogEntry
    • RtlInitUnicodeString
    • ZwQueryInformationFile
    • ZwReadFile
    • KeInitializeEvent
    • KeSetEvent
    • RtlCompareMemory
    • ExInterlockedInsertTailList
    • IofCompleteRequest
    • SeTokenType
    • SeCreateClientSecurity
    • PsDereferencePrimaryToken
    • PsDereferenceImpersonationToken
    • RtlClearAllBits
    • RtlSetAllBits
    • RtlSetBits
    • RtlFindFirstRunClear
    • RtlAreBitsSet
    • RtlFindNextForwardRunClear
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseInStackQueuedSpinLock
    • ExInterlockedInsertHeadList
    • __C_specific_handler
    • ExAllocatePool
    • _wcsicmp
    • _wcsnicmp
    • RtlQueryRegistryValues
    • RtlCopyUnicodeString
    • RtlAppendUnicodeToString
    • RtlxAnsiStringToUnicodeSize
    • KeSetPriorityThread
    • KeWaitForMultipleObjects
    • KeWaitForSingleObject
    • ExInterlockedRemoveHeadList
    • ExInitializeResourceLite
    • ExDeleteResourceLite
    • MmQuerySystemSize
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • ZwCreateDirectoryObject
    • ZwMakeTemporaryObject
    • ZwOpenKey
    • RtlInitializeGenericTable
    • ExUuidCreate
    • SeImpersonateClient
    • PsRevertToSelf
    • _vsnprintf
    • _vsnwprintf
    • NlsMbOemCodePageTag
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • RtlInsertElementGenericTable
    • RtlDeleteElementGenericTable
    • _local_unwind
    • ZwQueryDirectoryFile
    • swprintf
    • ZwOpenProcessToken
    • ZwAdjustPrivilegesToken
    • RtlInitializeBitMap
    • PsGetVersion
    • ZwQueryValueKey
    • MmGetSystemRoutineAddress
    • IoCreateDevice
    • ObOpenObjectByPointer
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • RtlCreateSecurityDescriptor
    • RtlSetDaclSecurityDescriptor
    • RtlAbsoluteToSelfRelativeSD
    • IoIsWdmVersionAvailable
    • SeExports
    • wcschr
    • RtlLengthSid
    • RtlAddAccessAllowedAce
    • RtlGetSaclSecurityDescriptor
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • ZwCreateKey
    • ZwSetValueKey
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
          "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
          "TBS": {
            "MD5": "d0785ad36e427c92b19f6826ab1e8020",
            "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
            "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
            "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
          },
          "ValidFrom": "2012-12-21 00:00:00",
          "ValidTo": "2020-12-30 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "47c30ffefc22bb280f96fea75251",
          "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
          "TBS": {
            "MD5": "729cf4baceff4ef7aa199ad4f4ebed3d",
            "SHA1": "f478f0e790d5c8ec6056a3ab2567404a991d2837",
            "SHA256": "c3c88c2a500cb5a97abca837193a5bd382f6eb3aeb0008edbce65ea2a3dbfd5c",
            "SHA384": "e62bbb1ba1ad3df59f2c7265df5576af6b5d4a7473b74985a9d956975fdfc517ffbdd2172b0e3ea36befcb6a9026c872"
          },
          "ValidFrom": "2016-03-16 00:00:00",
          "ValidTo": "2024-03-16 00:00:00",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
          "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
          "TBS": {
            "MD5": "e9d38360b914c8863f6cba3ee58764d3",
            "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
            "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
            "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
          },
          "ValidFrom": "2012-10-18 00:00:00",
          "ValidTo": "2020-12-29 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "7c4ba269a79bfcba77f289aa",
          "Signature": "316bfbf40acac7ca3740421599ce15352c4a4fcf111376eb9daab6a7799a0cf15abd84039561f30ec15ce6fbcfade6d441670f0ac46e46e8de3d80ba922484a460d18aa9a4a9cf554821359e49c60f218581429c87b0572fd15fc977fce01330c40e12e9d5df52e155b139cbcd73b9d5e140026f11dbe6f07b0d57d8bb89d0ea9a3bdc0b4b0a1485048e2b1ee94220d2c9e23cdf4d0eb61292bf33e5ed8b6329679f9484a6b0c7a8064964c9ca22a79cced0ea9eba71346606cf73f694bff915fdffc2e68777656d824db607914568ad8615ddf65e988a4b67a6f4eeb2b97987586257a8e6d96b29d50e7c0b40bf4649ae1bd0d71a5c33014076572a4c00e352",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=GB, ST=Greater Manchester, L=Manchester, O=Paramount Software UK Ltd, CN=Paramount Software UK Ltd",
          "TBS": {
            "MD5": "c793e7fd0c44bceb7ad426be86040011",
            "SHA1": "d801cf6f287f318e5f7a0ab5cd8906ddd8fae251",
            "SHA256": "a9c88e683450713b03ff083447909e1de401529408f51df6deb0ffb56d032aeb",
            "SHA384": "6c6437636cfc0650ce5fdfd5a3e095c7c6c105debc76a4db1c1b248b2ec8eb2ccbcdb19a0eb7622b82eb6b9f72a43f3e"
          },
          "ValidFrom": "2017-02-16 09:47:48",
          "ValidTo": "2020-03-24 14:06:23",
          "Version": 3
        },
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "6129152700000000002a",
          "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
          "TBS": {
            "MD5": "0bb058d116f02817737920f112d9fd3b",
            "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
            "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
            "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
          },
          "ValidFrom": "2011-04-15 19:55:08",
          "ValidTo": "2021-04-15 20:05:08",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3",
          "SerialNumber": "7c4ba269a79bfcba77f289aa",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2025-01-13