618fbf89-f4e3-4b2a-a4b4-cc4bf7c180e0

POORTRY2.sys

Description

Driver categorized as POORTRY by Mandiant.

UUID: 618fbf89-f4e3-4b2a-a4b4-cc4bf7c180e0
Created: 2023-03-04
Author: Michael Haag
Acknowledgement: |

This download link contains the malicious driver!

Commands

sc.exe create POORTRY2.sys binPath=C:\windows\temp\POORTRY2.sys type=kernel &amp;&amp; sc.exe start POORTRY2.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware

Known Vulnerable Samples

Property	Value
Filename	POORTRY2.sys
Creation Timestamp	2022-08-16 06:58:09
MD5	b164daf106566f444dfb280d743bc2f7
SHA1	7e836dadc2e149a0b758c7e22c989cbfcce18684
SHA256	9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87
Authentihash MD5	ffbbaeada1f7507faca4ef59c6e3e577
Authentihash SHA1	56f9aa37f099409170b4656079edbf52e464b700
Authentihash SHA256	29bf8618816bce5fa2845409d98b7b96915e0763bb04719535ca885e4713cfaf
RichPEHeaderHash MD5	104f21983f4d9023b3caea75e150d708
RichPEHeaderHash SHA1	f7c1d81b689da74283e59a207c099add982ebe65
RichPEHeaderHash SHA256	d7cc985c73b6cab2c875fcdabc34930c0849b055477e264061c4ef8351c69fa0

Download

Certificates

Expand

Certificate 3300000057ee4d659a923e7c10000000000057

Field	Value
ToBeSigned (TBS) MD5	fdc11a5676aed4e9cc0c09eeb7450dfb
ToBeSigned (TBS) SHA1	4902077d9a05d4231b791d3b05bafa4a79132f03
ToBeSigned (TBS) SHA256	5db56c23d83bf67c7152e28ad4a684a7372b4ae4f52afe7a81ce91eef94caec3
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
ValidFrom	2022-06-07 18:08:06
ValidTo	2023-06-01 18:08:06
Signature	0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	3300000057ee4d659a923e7c10000000000057
Version	3

Certificate 330000000d690d5d7893d076df00000000000d

Field	Value
ToBeSigned (TBS) MD5	83f69422963f11c3c340b81712eef319
ToBeSigned (TBS) SHA1	0c5e5f24590b53bc291e28583acb78e5adc95601
ToBeSigned (TBS) SHA256	d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
ValidFrom	2014-10-15 20:31:27
ValidTo	2029-10-15 20:41:27
Signature	96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	True
SerialNumber	330000000d690d5d7893d076df00000000000d
Version	3

Imports

Expand

ntoskrnl.exe
FLTMGR.SYS

Imported Functions

Expand

RtlTimeToTimeFields
ExAllocatePoolWithTag
ZwCreateKey
ExFreePoolWithTag
NtQuerySystemInformation
ZwReadFile
RtlInitUnicodeString
IoCreateFile
RtlUnicodeStringToAnsiString
_wcslwr
IoFileObjectType
ZwCreateFile
wcsstr
ZwQueryValueKey
ExAllocatePool
PsTerminateSystemThread
ZwClose
RtlFreeAnsiString
ZwQueryInformationFile
KeWaitForMultipleObjects
ZwWriteFile
_vsnprintf
KeBugCheck
DbgPrint
PsGetCurrentProcessId
memmove
ZwAllocateVirtualMemory
atoi
_strlwr
NtQueryInformationProcess
DbgBreakPoint
ZwOpenProcess
KeServiceDescriptorTable
strrchr
ObQueryNameString
NtOpenThread
NtClose
NtOpenProcess
ExSystemTimeToLocalTime
RtlFreeUnicodeString
KeQuerySystemTime
RtlInitAnsiString
MmGetSystemRoutineAddress
RtlAnsiStringToUnicodeString
sprintf
swprintf_s
ObfDereferenceObject
KeSetEvent
KeWaitForSingleObject
ObReferenceObjectByHandle
PsCreateSystemThread
KeInitializeEvent
PsSetCreateProcessNotifyRoutineEx
_except_handler3
memcpy
memset
FltStartFiltering
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltFreeSecurityDescriptor
FltCreateCommunicationPort
FltCloseClientPort

Exported Functions

Expand

Sections

Expand

.text
.text1
.rdata
.data
INIT
.reloc

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "3300000057ee4d659a923e7c10000000000057",
      "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "fdc11a5676aed4e9cc0c09eeb7450dfb",
        "SHA1": "4902077d9a05d4231b791d3b05bafa4a79132f03",
        "SHA256": "5db56c23d83bf67c7152e28ad4a684a7372b4ae4f52afe7a81ce91eef94caec3",
        "SHA384": "c952d7f0e0ea5216ce4400601fb7c0829f0f3fcd6eb2b5b9112fbe45d133e00c4abd660f8e1794f7ac4ef95123e2c0ab"
      },
      "ValidFrom": "2022-06-07 18:08:06",
      "ValidTo": "2023-06-01 18:08:06",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "3300000057ee4d659a923e7c10000000000057",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2024-04-09