9889da50-3908-4499-a729-187295a60a0e

asrdrv104.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

asrdrv104.sys is a vulnerable driver and more information will be added as found.

  • UUID: 9889da50-3908-4499-a729-187295a60a0e
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Commands

sc.exe create asrdrv104.sys binPath=C:\windows\temp\asrdrv104.sys type=kernel && sc.exe start asrdrv104.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

    • Known Vulnerable Samples

    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA16c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA1e039c9dd21494dbd073b4823fc3a17fbb951ec6c
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA17eec3a1edf3b021883a4b5da450db63f7c0afeeb
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA1e5021a98e55d514e2376aa573d143631e5ee1c13
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp2017-03-24 22:06:29
    MD5de1cc5c266140bff9d964fab87a29421
    SHA1729a8675665c61824f22f06c7b954be4d14b52c4
    SHA2566ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7
    Authentihash MD56b214126743cbf8efdfae0a4fb7d78eb
    Authentihash SHA1efc91a1317eb086196fa1a2f94fbf96258b5ec2e
    Authentihash SHA2565b08d996938a0ab9a3b7a65e3049482dff819028102d41f7c5924af467b0a3e4
    RichPEHeaderHash MD56a040ce6cb149645c2ee94feff2864a5
    RichPEHeaderHash SHA150b80eb17b5728b9a40887c3b998bf565dd77920
    RichPEHeaderHash SHA2566dba5e5edc047abf8b9eac9ca2dc7dec808e6b1656406542a8d3c150a6447940
    CompanyASRock Incorporation
    DescriptionASRock IO Driver
    ProductASRock IO Driver
    OriginalFilenameAsrDrv.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 250ce8e030612e9f2b89f7054d7cf8fd
    FieldValue
    ToBeSigned (TBS) MD5918d9eb6a6cd36c531eceb926170a7e1
    ToBeSigned (TBS) SHA10ae95700d65e6f59715aa47048993ca7858e676a
    ToBeSigned (TBS) SHA25647c46e6eaa3780eace3d0d891346cd373359d246b21a957219dbab4c8f37c166
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2006-11-08 00:00:00
    ValidTo2021-11-07 23:59:59
    Signature1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber250ce8e030612e9f2b89f7054d7cf8fd
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3
    Certificate 03ffdaa3aac322387d7eb98acf9524bf
    FieldValue
    ToBeSigned (TBS) MD5987b0fb90b05c0b59ba66fb1527c27e3
    ToBeSigned (TBS) SHA11b5d5279beed01b2355731588b1a26da29218b55
    ToBeSigned (TBS) SHA256b3cd9f313e55fce2d39d25dbe303777e5db9d0c01448dcd9ac70c2355bb5b4ea
    SubjectC=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation
    ValidFrom2014-03-07 00:00:00
    ValidTo2017-05-05 23:59:59
    Signature1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber03ffdaa3aac322387d7eb98acf9524bf
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll
    • cng.sys

    Imported Functions

    Expand
    • memset
    • MmGetPhysicalAddress
    • MmAllocateContiguousMemorySpecifyCache
    • MmFreeContiguousMemorySpecifyCache
    • IoFreeIrp
    • IoFreeMdl
    • MmUnlockPages
    • IofCallDriver
    • IoBuildAsynchronousFsdRequest
    • RtlQueryRegistryValues
    • IoCreateSymbolicLink
    • KeTickCount
    • KeBugCheckEx
    • RtlCompareMemory
    • MmMapIoSpace
    • MmUnmapIoSpace
    • memcpy
    • MmGetSystemRoutineAddress
    • ZwClose
    • ZwSetSecurityObject
    • ObOpenObjectByPointer
    • IoDeviceObjectType
    • IoCreateDevice
    • RtlGetDaclSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • SeExports
    • IoIsWdmVersionAvailable
    • _wcsnicmp
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlSetDaclSecurityDescriptor
    • RtlCreateSecurityDescriptor
    • ZwOpenKey
    • ZwCreateKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • RtlFreeUnicodeString
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • IoDeleteSymbolicLink
    • IoDeleteDevice
    • IofCompleteRequest
    • KeStallExecutionProcessor
    • BCryptGenerateSymmetricKey
    • BCryptCloseAlgorithmProvider
    • BCryptOpenAlgorithmProvider
    • BCryptDestroyKey
    • BCryptDecrypt

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA12b4d0dead4c1a7cc95543748b3565cfa802e5256
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameasrdrv104.sys
    Creation Timestamp
    MD5
    SHA14a7d66874a0472a47087fabaa033a85d47413379
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2024-04-09