85f8ad5b-c5aa-468b-99f3-4b0aacfaa724

cyvrlpc.sys :inline

Description

Per Sophos X-Ops research (Aug 06, 2025), threat actors deploy an EDR-killer that loads a malicious kernel driver (often with a random five-letter name) signed with compromised or revoked code-signing certificates (e.g., Changsha Hengxiang Information Technology; Fuzhou Dingxin Trade). The tool targets many security products by killing their services and processes and is frequently distributed packed with HeartCrypt by ransomware groups (e.g., RansomHub, INC). Driver names are hard-coded per sample (e.g., mraml.sys, noedt.sys).

  • UUID: 85f8ad5b-c5aa-468b-99f3-4b0aacfaa724
  • Created: 2025-08-08
  • Author: Michael Haag
  • Acknowledgement: Michael Haag | m_haggis

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create cyvrlpc.sys binPath=C:\windows\temp\cyvrlpc.sys type=kernel && sc.exe start cyvrlpc.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/

    • Known Vulnerable Samples

    PropertyValue
    Filename05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527
    Creation Timestamp2023-06-23 11:18:09
    MD543e12d7695fb568b5fce049341ae9175
    SHA16b76184d186d93cef98df43f1e307eb2ab866c1b
    SHA25605f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527
    Authentihash MD5c39d7606489fa399976e2f18373b3e24
    Authentihash SHA1ebf6b77266869267e01671eba82f24497954f1f4
    Authentihash SHA25644c718f75ae2a58e22923644d0caa621d78e8b83fe239d3c1bbba8851274904f
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6
    CompanyPalo Alto Networks, Inc.
    DescriptionCortex XDR LPC Driver
    ProductCortex XDR™ Advanced Endpoint Protection
    OriginalFilenamecyvrlpc.sys

    Download

    Certificates

    Expand
    Certificate 75e8e7b9043b13df60e76499663021c1
    FieldValue
    ToBeSigned (TBS) MD5c744e90982da6083d0d56173dba4c9fa
    ToBeSigned (TBS) SHA1633b38d9372b85e02e013beca47cf5b1b7b10bee
    ToBeSigned (TBS) SHA25609a47ae5b166910e92028c035d2550ccec79b4c9b221bc476380ddb69b5b4770
    SubjectCN=长沙恒祥信息技术有限公司,O=长沙恒祥信息技术有限公司,L=长沙市,ST=湖南省,C=CN
    ValidFrom2015-03-20 00:00:00
    ValidTo2016-03-19 23:59:59
    Signatureca84c8ad3a1c9e9b8bfe2e19f98d222c970dcd9db773e56d964090656869bd15920e174b7bb29636f6a8ea72f0ea0f577cf75d763fa291dd31c575fcd35ced7fc52ef7dee9af0567ff60e8645b97b33ec06789f992b541c8cccc80975476a51c7bdeacb9a80527e769bb336d1a5ba0da5137b67e8d18fb218a95e5523465a5deff0c8905850e430d354420456c06664078e42d97b25fde7e524a907258477ea725c1c227131d03d308a55a7aba8d4a49a4ca7c5325454d24ed90d3d15888ea27574014a33bf51fd84cf55d941c845503155864cea2d89b3f0f57ac8227926d2c27b0a8157918bfe9d9da123de7d6b051cac51acf19e99f4f14978dfafd321cf7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber75e8e7b9043b13df60e76499663021c1
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectCN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectCN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeInitializeEvent
    • HalReturnToFirmware
    • ExAllocatePool
    • NtQuerySystemInformation
    • ExFreePoolWithTag
    • IoAllocateMdl
    • MmProbeAndLockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnlockPages
    • IoFreeMdl
    • KeQueryActiveProcessors
    • KeSetSystemAffinityThread
    • KeRevertToUserAffinityThread
    • DbgPrint
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .?mW
    • .rr)
    • .k:-
    • .reloc
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "75e8e7b9043b13df60e76499663021c1",
      "Signature": "ca84c8ad3a1c9e9b8bfe2e19f98d222c970dcd9db773e56d964090656869bd15920e174b7bb29636f6a8ea72f0ea0f577cf75d763fa291dd31c575fcd35ced7fc52ef7dee9af0567ff60e8645b97b33ec06789f992b541c8cccc80975476a51c7bdeacb9a80527e769bb336d1a5ba0da5137b67e8d18fb218a95e5523465a5deff0c8905850e430d354420456c06664078e42d97b25fde7e524a907258477ea725c1c227131d03d308a55a7aba8d4a49a4ca7c5325454d24ed90d3d15888ea27574014a33bf51fd84cf55d941c845503155864cea2d89b3f0f57ac8227926d2c27b0a8157918bfe9d9da123de7d6b051cac51acf19e99f4f14978dfafd321cf7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=\u957f\u6c99\u6052\u7965\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8,O=\u957f\u6c99\u6052\u7965\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8,L=\u957f\u6c99\u5e02,ST=\u6e56\u5357\u7701,C=CN",
      "TBS": {
        "MD5": "c744e90982da6083d0d56173dba4c9fa",
        "SHA1": "633b38d9372b85e02e013beca47cf5b1b7b10bee",
        "SHA256": "09a47ae5b166910e92028c035d2550ccec79b4c9b221bc476380ddb69b5b4770",
        "SHA384": "240cbfa8fdb38172da35d1f761200717e8824a6eb58cf2be0421e825fc7ddf5c62a93136a6f844af06d2c5779d80841a"
      },
      "ValidFrom": "2015-03-20 00:00:00",
      "ValidTo": "2016-03-19 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "SerialNumber": "75e8e7b9043b13df60e76499663021c1",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-08-28