30e8d598-2c60-49e4-953b-a6f620da1371

wsftprm.sys :inline :inline

Description

Northwave Cyber Security contributed this driver based on in-house research. The driver has a CVSSv3 score of 6.1, indicating a antivirus killer impact. This vulnerability could potentially be exploited for privilege escalation or other malicious activities.

  • UUID: 30e8d598-2c60-49e4-953b-a6f620da1371
  • Created: 2024-09-11
  • Author: Northwave Cyber Security
  • Acknowledgement: Northwave Cyber Security |

DownloadBlock

Commands

sc.exe create wsftprm binPath=C:\windows\temp\wsftprm.sys type=kernel && sc.exe start wsftprm
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://northwave-cybersecurity.com/vulnerability-notice-topaz-antifraud

  • Known Vulnerable Samples

    PropertyValue
    Filenamewsftprm.sys
    Creation Timestamp2023-02-27 13:51:07
    MD52f4b5a0d98bc4e5616f2dd04337ae674
    SHA1f8a3f28ecbd0b08ecab73ef571f16c3d0bd5e009
    SHA256ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8
    Authentihash MD5fef5c6b4bf229133ff0ba9b3187db3fa
    Authentihash SHA12e453dc7c70d25a59b09006d9b28360a0aca1720
    Authentihash SHA256a3b12d9f35f9acd46d7e21627ad3e29149d203e211d665a3e03103f9cb7e4b86
    RichPEHeaderHash MD5380c0124c01eca51c088d4f4c2e7d85d
    RichPEHeaderHash SHA1081bcd186bc2dc98daed9607d20b7c1c6b31485c
    RichPEHeaderHash SHA256289920fb621fd2b50674986819cf50a9ffa893efdff5f681e493af5ee622dd27
    CompanyTopaz OFD
    DescriptionTopaz OFD - PM
    Productwsddprm
    OriginalFilenamewsftprm.sys

    Download

    Certificates

    Expand
    Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
    FieldValue
    ToBeSigned (TBS) MD55d8003a64dfa5a4d88365da1566038cb
    ToBeSigned (TBS) SHA179465b56bc7ad55a37bdf633943da8bfc84db228
    ToBeSigned (TBS) SHA25684bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332
    SubjectC=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    ValidFrom2021-04-29 00:00:00
    ValidTo2036-04-28 23:59:59
    Signature3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber08ad40b260d29c4c9f5ecda9bd93aed9
    Version3
    Certificate 0d11baba3cbb3f038ab40620dc601654
    FieldValue
    ToBeSigned (TBS) MD5fd32050cfa930d5c6296f641056dab31
    ToBeSigned (TBS) SHA1ddf88d96557ae9668348705c8fa93228fb0a342e
    ToBeSigned (TBS) SHA2569439c52923b26aa3b129ccb20cf5e81cb897d0d9eeca2c098641ed8147db70c0
    SubjectC=BR, ST=So Paulo, L=Indaiatuba, O=TPZ SOLUCOES DIGITAIS LTDA, OU=OFD, CN=TPZ SOLUCOES DIGITAIS LTDA
    ValidFrom2022-12-19 00:00:00
    ValidTo2026-01-20 23:59:59
    Signature11f4de7903bf687c3404a2068f87a2375a5da0b0d5cdf6593dabedce060e7b975c5b248da7e815c9da5f9c3dae2f1035d7c28360bb793956905d58a6114cb2562d4176634ea3c24a845a36731ffe26b3668c6e090573e78ff432680b1c53804d62f72a858305ec65dbd835c87623eebbf66b8fdadeacc30bec276d6418f009016e36ab94aae3177bd2fd4af060e3d0b9ba265a41f019b9af409f77505057d4dc9ba3b429aa258a4436a9a7346ed01b9396334dd50482be7d6625c5fe41dc0eb64a24640309a632aa99824dfab947480e0f819efc211574fb8aefc5140ebdf7db59af5c044190d860e9da997e978dd6c1e80466713cb3e9943131568eb58ab32089734b0c65c7f5258fb25eb2b1184ec817971bbfc5a2a7ec9405428db2ce5ddba04cd48056c1a74ce21a4179c4e535e9ce597171d52d4b6840050783406982af40bd1d7591604b158d07f259ab1232c9143e66c585e11a60f55dd0eb4758120588de62e1507eddd39dee42f3130caba4bf8144d15e8785c1e99da911b41771f23444f5be7fc7e27a141efe1134ec1df87a726bfe099c1e576e75790c1fb342e08e4b9bad2fbefb6c08b37db6d62ac9f2107885c7afe3207a0c42db7cf860c48fad4104f09ae2fe038796a0b888aa593595c90f17d01988ad074f1c6a1b88779166fe70d1d6b13a95571bfbfc0244b8661291a83d6f9f1b856c5633ff057194c9
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0d11baba3cbb3f038ab40620dc601654
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoRegisterShutdownNotification
    • IoUnregisterShutdownNotification
    • ObReferenceObjectByHandle
    • ExEventObjectType
    • ZwClose
    • ZwOpenKey
    • ZwFlushKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • IoGetCurrentProcess
    • PsGetProcessId
    • RtlInitUnicodeString
    • PsSetLoadImageNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • KeInitializeEvent
    • KeClearEvent
    • ObfDereferenceObject
    • ZwTerminateProcess
    • ZwOpenProcess
    • __C_specific_handler
    • KeWaitForSingleObject
    • RtlCopyUnicodeString
    • KeReleaseMutex
    • KeInitializeMutex
    • KeSetEvent
    • PsSetCreateProcessNotifyRoutine
    • WdfVersionUnbind
    • WdfVersionBind
    • WdfVersionUnbindClass
    • WdfVersionBindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "IsCertificateAuthority": true,
          "SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
          "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
          "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
          "TBS": {
            "MD5": "5d8003a64dfa5a4d88365da1566038cb",
            "SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
            "SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
            "SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
          },
          "ValidFrom": "2021-04-29 00:00:00",
          "ValidTo": "2036-04-28 23:59:59",
          "Version": 3
        },
        {
          "IsCertificateAuthority": false,
          "SerialNumber": "0d11baba3cbb3f038ab40620dc601654",
          "Signature": "11f4de7903bf687c3404a2068f87a2375a5da0b0d5cdf6593dabedce060e7b975c5b248da7e815c9da5f9c3dae2f1035d7c28360bb793956905d58a6114cb2562d4176634ea3c24a845a36731ffe26b3668c6e090573e78ff432680b1c53804d62f72a858305ec65dbd835c87623eebbf66b8fdadeacc30bec276d6418f009016e36ab94aae3177bd2fd4af060e3d0b9ba265a41f019b9af409f77505057d4dc9ba3b429aa258a4436a9a7346ed01b9396334dd50482be7d6625c5fe41dc0eb64a24640309a632aa99824dfab947480e0f819efc211574fb8aefc5140ebdf7db59af5c044190d860e9da997e978dd6c1e80466713cb3e9943131568eb58ab32089734b0c65c7f5258fb25eb2b1184ec817971bbfc5a2a7ec9405428db2ce5ddba04cd48056c1a74ce21a4179c4e535e9ce597171d52d4b6840050783406982af40bd1d7591604b158d07f259ab1232c9143e66c585e11a60f55dd0eb4758120588de62e1507eddd39dee42f3130caba4bf8144d15e8785c1e99da911b41771f23444f5be7fc7e27a141efe1134ec1df87a726bfe099c1e576e75790c1fb342e08e4b9bad2fbefb6c08b37db6d62ac9f2107885c7afe3207a0c42db7cf860c48fad4104f09ae2fe038796a0b888aa593595c90f17d01988ad074f1c6a1b88779166fe70d1d6b13a95571bfbfc0244b8661291a83d6f9f1b856c5633ff057194c9",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
          "Subject": "C=BR, ST=So Paulo, L=Indaiatuba, O=TPZ SOLUCOES DIGITAIS LTDA, OU=OFD, CN=TPZ SOLUCOES DIGITAIS LTDA",
          "TBS": {
            "MD5": "fd32050cfa930d5c6296f641056dab31",
            "SHA1": "ddf88d96557ae9668348705c8fa93228fb0a342e",
            "SHA256": "9439c52923b26aa3b129ccb20cf5e81cb897d0d9eeca2c098641ed8147db70c0",
            "SHA384": "8305a04f7ca008b908c330c10260e01dffbd5e571baf473dcc1f1a72aa489564729d5a8dd998e06a5a4246aa1c568a71"
          },
          "ValidFrom": "2022-12-19 00:00:00",
          "ValidTo": "2026-01-20 23:59:59",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
          "SerialNumber": "0d11baba3cbb3f038ab40620dc601654",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2025-01-13