30e8d598-2c60-49e4-953b-a6f620da1371
wsftprm.sys
Description
Northwave Cyber Security contributed this driver based on in-house research. The driver has a CVSSv3 score of 6.1, indicating a antivirus killer impact. This vulnerability could potentially be exploited for privilege escalation or other malicious activities.
- UUID: 30e8d598-2c60-49e4-953b-a6f620da1371
- Created: 2024-09-11
- Author: Northwave Cyber Security
- Acknowledgement: Northwave Cyber Security |
Commands
sc.exe create wsftprm binPath=C:\windows\temp\wsftprm.sys type=kernel && sc.exe start wsftprm
Use Case | Privileges | Operating System |
---|---|---|
Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
Resources
Known Vulnerable Samples
Property | Value |
---|---|
Filename | wsftprm.sys |
Creation Timestamp | 2023-02-27 13:51:07 |
MD5 | 2f4b5a0d98bc4e5616f2dd04337ae674 |
SHA1 | f8a3f28ecbd0b08ecab73ef571f16c3d0bd5e009 |
SHA256 | ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8 |
Authentihash MD5 | fef5c6b4bf229133ff0ba9b3187db3fa |
Authentihash SHA1 | 2e453dc7c70d25a59b09006d9b28360a0aca1720 |
Authentihash SHA256 | a3b12d9f35f9acd46d7e21627ad3e29149d203e211d665a3e03103f9cb7e4b86 |
RichPEHeaderHash MD5 | 380c0124c01eca51c088d4f4c2e7d85d |
RichPEHeaderHash SHA1 | 081bcd186bc2dc98daed9607d20b7c1c6b31485c |
RichPEHeaderHash SHA256 | 289920fb621fd2b50674986819cf50a9ffa893efdff5f681e493af5ee622dd27 |
Company | Topaz OFD |
Description | Topaz OFD - PM |
Product | wsddprm |
OriginalFilename | wsftprm.sys |
Certificates
Expand
Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 5d8003a64dfa5a4d88365da1566038cb |
ToBeSigned (TBS) SHA1 | 79465b56bc7ad55a37bdf633943da8bfc84db228 |
ToBeSigned (TBS) SHA256 | 84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332 |
Subject | C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
ValidFrom | 2021-04-29 00:00:00 |
ValidTo | 2036-04-28 23:59:59 |
Signature | 3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e |
SignatureAlgorithmOID | 1.2.840.113549.1.1.12 |
IsCertificateAuthority | True |
SerialNumber | 08ad40b260d29c4c9f5ecda9bd93aed9 |
Version | 3 |
Certificate 0d11baba3cbb3f038ab40620dc601654
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | fd32050cfa930d5c6296f641056dab31 |
ToBeSigned (TBS) SHA1 | ddf88d96557ae9668348705c8fa93228fb0a342e |
ToBeSigned (TBS) SHA256 | 9439c52923b26aa3b129ccb20cf5e81cb897d0d9eeca2c098641ed8147db70c0 |
Subject | C=BR, ST=So Paulo, L=Indaiatuba, O=TPZ SOLUCOES DIGITAIS LTDA, OU=OFD, CN=TPZ SOLUCOES DIGITAIS LTDA |
ValidFrom | 2022-12-19 00:00:00 |
ValidTo | 2026-01-20 23:59:59 |
Signature | 11f4de7903bf687c3404a2068f87a2375a5da0b0d5cdf6593dabedce060e7b975c5b248da7e815c9da5f9c3dae2f1035d7c28360bb793956905d58a6114cb2562d4176634ea3c24a845a36731ffe26b3668c6e090573e78ff432680b1c53804d62f72a858305ec65dbd835c87623eebbf66b8fdadeacc30bec276d6418f009016e36ab94aae3177bd2fd4af060e3d0b9ba265a41f019b9af409f77505057d4dc9ba3b429aa258a4436a9a7346ed01b9396334dd50482be7d6625c5fe41dc0eb64a24640309a632aa99824dfab947480e0f819efc211574fb8aefc5140ebdf7db59af5c044190d860e9da997e978dd6c1e80466713cb3e9943131568eb58ab32089734b0c65c7f5258fb25eb2b1184ec817971bbfc5a2a7ec9405428db2ce5ddba04cd48056c1a74ce21a4179c4e535e9ce597171d52d4b6840050783406982af40bd1d7591604b158d07f259ab1232c9143e66c585e11a60f55dd0eb4758120588de62e1507eddd39dee42f3130caba4bf8144d15e8785c1e99da911b41771f23444f5be7fc7e27a141efe1134ec1df87a726bfe099c1e576e75790c1fb342e08e4b9bad2fbefb6c08b37db6d62ac9f2107885c7afe3207a0c42db7cf860c48fad4104f09ae2fe038796a0b888aa593595c90f17d01988ad074f1c6a1b88779166fe70d1d6b13a95571bfbfc0244b8661291a83d6f9f1b856c5633ff057194c9 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | False |
SerialNumber | 0d11baba3cbb3f038ab40620dc601654 |
Version | 3 |
Imports
Expand
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- IoRegisterShutdownNotification
- IoUnregisterShutdownNotification
- ObReferenceObjectByHandle
- ExEventObjectType
- ZwClose
- ZwOpenKey
- ZwFlushKey
- ZwQueryValueKey
- ZwSetValueKey
- IoGetCurrentProcess
- PsGetProcessId
- RtlInitUnicodeString
- PsSetLoadImageNotifyRoutine
- PsRemoveLoadImageNotifyRoutine
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- KeInitializeEvent
- KeClearEvent
- ObfDereferenceObject
- ZwTerminateProcess
- ZwOpenProcess
- __C_specific_handler
- KeWaitForSingleObject
- RtlCopyUnicodeString
- KeReleaseMutex
- KeInitializeMutex
- KeSetEvent
- PsSetCreateProcessNotifyRoutine
- WdfVersionUnbind
- WdfVersionBind
- WdfVersionUnbindClass
- WdfVersionBindClass
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
"Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"TBS": {
"MD5": "5d8003a64dfa5a4d88365da1566038cb",
"SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
"SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
"SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
},
"ValidFrom": "2021-04-29 00:00:00",
"ValidTo": "2036-04-28 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0d11baba3cbb3f038ab40620dc601654",
"Signature": "11f4de7903bf687c3404a2068f87a2375a5da0b0d5cdf6593dabedce060e7b975c5b248da7e815c9da5f9c3dae2f1035d7c28360bb793956905d58a6114cb2562d4176634ea3c24a845a36731ffe26b3668c6e090573e78ff432680b1c53804d62f72a858305ec65dbd835c87623eebbf66b8fdadeacc30bec276d6418f009016e36ab94aae3177bd2fd4af060e3d0b9ba265a41f019b9af409f77505057d4dc9ba3b429aa258a4436a9a7346ed01b9396334dd50482be7d6625c5fe41dc0eb64a24640309a632aa99824dfab947480e0f819efc211574fb8aefc5140ebdf7db59af5c044190d860e9da997e978dd6c1e80466713cb3e9943131568eb58ab32089734b0c65c7f5258fb25eb2b1184ec817971bbfc5a2a7ec9405428db2ce5ddba04cd48056c1a74ce21a4179c4e535e9ce597171d52d4b6840050783406982af40bd1d7591604b158d07f259ab1232c9143e66c585e11a60f55dd0eb4758120588de62e1507eddd39dee42f3130caba4bf8144d15e8785c1e99da911b41771f23444f5be7fc7e27a141efe1134ec1df87a726bfe099c1e576e75790c1fb342e08e4b9bad2fbefb6c08b37db6d62ac9f2107885c7afe3207a0c42db7cf860c48fad4104f09ae2fe038796a0b888aa593595c90f17d01988ad074f1c6a1b88779166fe70d1d6b13a95571bfbfc0244b8661291a83d6f9f1b856c5633ff057194c9",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=BR, ST=So Paulo, L=Indaiatuba, O=TPZ SOLUCOES DIGITAIS LTDA, OU=OFD, CN=TPZ SOLUCOES DIGITAIS LTDA",
"TBS": {
"MD5": "fd32050cfa930d5c6296f641056dab31",
"SHA1": "ddf88d96557ae9668348705c8fa93228fb0a342e",
"SHA256": "9439c52923b26aa3b129ccb20cf5e81cb897d0d9eeca2c098641ed8147db70c0",
"SHA384": "8305a04f7ca008b908c330c10260e01dffbd5e571baf473dcc1f1a72aa489564729d5a8dd998e06a5a4246aa1c568a71"
},
"ValidFrom": "2022-12-19 00:00:00",
"ValidTo": "2026-01-20 23:59:59",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"SerialNumber": "0d11baba3cbb3f038ab40620dc601654",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2025-01-13