73bd234a-6c4f-4304-9e7d-5bc7a3f263e2

bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56 :inline

Description

hlpdrv.sys is a malicious driver used to disable Windows Defender by modifying registry settings. This driver has been observed in Akira ransomware campaigns, where it is deployed to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. The malware modifies the DisableAntiSpyware registry key via regedit.exe execution.

  • UUID: 73bd234a-6c4f-4304-9e7d-5bc7a3f263e2
  • Created: 2025-10-27
  • Author: Michael Haag
  • Acknowledgement: GuidePoint Research and Intelligence Team (GRIT) | @GuidepointSec

DownloadBlock

Commands

sc.exe create KMHLPSVC binPath=C:\windows\temp\hlpdrv.sys type=kernel && sc.exe start KMHLPSVC
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/
  • https://github.com/magicsword-io/LOLDrivers/raw/main/drivers/cf7cad39407d8cd93135be42b6bd258f.bin

    • Known Vulnerable Samples

    PropertyValue
    Filenamehlpdrv.sys
    Creation Timestamp2025-03-03 04:11:32
    MD5cf7cad39407d8cd93135be42b6bd258f
    SHA1ce1b9909cef820e5281618a7a0099a27a70643dc
    SHA256bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
    Authentihash MD53e1467f89f1d0e6ff341afd460b61997
    Authentihash SHA17be5524927a472e0d6fbb80767fdf1ff1aa4dffc
    Authentihash SHA256a22d5d42dd0cdae016b536799ab9c384c23b42f5662f0b115b3b85ccb9e23242
    RichPEHeaderHash MD5fddfc403cd9bf71fe6619635b05aac6e
    RichPEHeaderHash SHA1350c2cbd34cb87b6e06a25c63b3e48ce30a71f15
    RichPEHeaderHash SHA256b78be3efd3d5c31d858ac832f0ee71fdb7e04a4628f2c0d897e838fa3e8f3866

    Download

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • DbgPrint
    • RtlCreateSecurityDescriptor
    • RtlSetDaclSecurityDescriptor
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • ZwCreateFile
    • ZwClose
    • ZwTerminateProcess
    • RtlCreateAcl
    • SeLocateProcessImageName
    • PsLookupProcessByProcessId
    • ObOpenObjectByPointer
    • ZwSetSecurityObject
    • PsProcessType

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand

    source

    last_updated: 2026-01-07