9c4e45c8-8f99-40b4-bb73-2e1cfa813034

927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11 :inline

Description

According to Sophos X-Ops (Aug 06, 2025), a widely shared EDR-killer toolkit drops/loads a malicious kernel driver signed with compromised or revoked certificates to disable endpoint protections. Variants target many vendors, and are commonly HeartCrypt-packed and used by ransomware groups (e.g., RansomHub, INC). The payload uses hard-coded driver names (e.g., mraml.sys, noedt.sys) and kills security services/processes.

  • UUID: 9c4e45c8-8f99-40b4-bb73-2e1cfa813034
  • Created: 2025-08-08
  • Author: Michael Haag
  • Acknowledgement: Michael Haag | m_haggis

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create 927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11 binPath=C:\windows\temp\927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11 type=kernel && sc.exe start 927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/

    • Known Vulnerable Samples

    PropertyValue
    Filename927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
    Creation Timestamp2011-10-25 11:26:20
    MD513ab592c51354e97611b4a77859f3ce7
    SHA18cd5c8ec1638e178d985bb01777bf0e5ffd1da06
    SHA256927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
    Authentihash MD50f8266bec93e8010eb14b1dd865acaf3
    Authentihash SHA156f83dfd635901406cb1e265be0e30b634f9d32c
    Authentihash SHA25664aee13f5b8a8becd8425b4248d55fccf7047de27291a22a5632a625b62af0ea
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Certificates

    Expand
    Certificate 72881f10cd248a33e61243a9e150ec1d
    FieldValue
    ToBeSigned (TBS) MD5624760813f627e4fafa0b8b64ebe43f5
    ToBeSigned (TBS) SHA14a69bc5f9523215cdd591b21f11b6944cb0a4888
    ToBeSigned (TBS) SHA2565d6985cb9bce20635df75b2f112bd55c961c0f144a3780283e61596dcbb25027
    SubjectCN=Fuzhou Dingxin Trade Co., Ltd.,O=Fuzhou Dingxin Trade Co., Ltd.,L=Fuzhou,ST=Fujian,C=CN
    ValidFrom2011-09-09 00:00:00
    ValidTo2012-09-08 23:59:59
    Signature3e2711c8787a7549ad9cb9cfa5084c7c4121368af76d17505b0f26c7f45b5ce504f5f7f7e870d5206effbd49dbccb827177ac985771d6974b72817d4f9d2ccaf8e65660f691de5e096b292ee7436bd167de254e0a587c66c4cc9f846f9c312089db032f9fbc2698c0767065a8e5bb1f3557ab75d8d34430c0f6bc3636e299287f91968eb15bede16a847c074764c56ee771e970ae2c14cd2e55bf52424d36d458dc3fb364914ea9e644e96223af33e755303864776399e71c40cc33be6f26b29fe9587ba28f2038109b901067db9718b4a3394f161a30c6b89a2c36c280cec6d6e2e14649c9af7575b25f0a251ba0e35b8c2bac1aaf2071e81fccd1e06c7bc0f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber72881f10cd248a33e61243a9e150ec1d
    Version3
    Certificate 47974d7873a5bcab0d2fb370192fce5e
    FieldValue
    ToBeSigned (TBS) MD5e3a93dc2a8a8a668fdbb286bfe9afab5
    ToBeSigned (TBS) SHA195795d2aa2a554a423bc8c6e5b0a016d14887d35
    ToBeSigned (TBS) SHA256d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e
    SubjectCN=Thawte Code Signing CA , G2,O=Thawte, Inc.,C=US
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47974d7873a5bcab0d2fb370192fce5e
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectCN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. , For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • FLTMGR.SYS
    • ntoskrnl.exe
    • HAL.dll
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • FltGetVolumeInformation
    • _wcsicmp
    • HalReturnToFirmware
    • ExAllocatePool
    • NtQuerySystemInformation
    • ExFreePoolWithTag
    • IoAllocateMdl
    • MmProbeAndLockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnlockPages
    • IoFreeMdl
    • KeQueryActiveProcessors
    • KeSetSystemAffinityThread
    • KeRevertToUserAffinityThread
    • DbgPrint
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .gCL
    • .i#b
    • .m2+
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "72881f10cd248a33e61243a9e150ec1d",
      "Signature": "3e2711c8787a7549ad9cb9cfa5084c7c4121368af76d17505b0f26c7f45b5ce504f5f7f7e870d5206effbd49dbccb827177ac985771d6974b72817d4f9d2ccaf8e65660f691de5e096b292ee7436bd167de254e0a587c66c4cc9f846f9c312089db032f9fbc2698c0767065a8e5bb1f3557ab75d8d34430c0f6bc3636e299287f91968eb15bede16a847c074764c56ee771e970ae2c14cd2e55bf52424d36d458dc3fb364914ea9e644e96223af33e755303864776399e71c40cc33be6f26b29fe9587ba28f2038109b901067db9718b4a3394f161a30c6b89a2c36c280cec6d6e2e14649c9af7575b25f0a251ba0e35b8c2bac1aaf2071e81fccd1e06c7bc0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=Fuzhou Dingxin Trade Co., Ltd.,O=Fuzhou Dingxin Trade Co., Ltd.,L=Fuzhou,ST=Fujian,C=CN",
      "TBS": {
        "MD5": "624760813f627e4fafa0b8b64ebe43f5",
        "SHA1": "4a69bc5f9523215cdd591b21f11b6944cb0a4888",
        "SHA256": "5d6985cb9bce20635df75b2f112bd55c961c0f144a3780283e61596dcbb25027",
        "SHA384": "a77c2ac8e07e16e534ef036c7c7b30ba56ee47c88dc7f8c22e6fdbb234eb50a85222aa9ab24148053fec4049c4cb5fe9"
      },
      "ValidFrom": "2011-09-09 00:00:00",
      "ValidTo": "2012-09-08 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "47974d7873a5bcab0d2fb370192fce5e",
      "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=Thawte Code Signing CA , G2,O=Thawte, Inc.,C=US",
      "TBS": {
        "MD5": "e3a93dc2a8a8a668fdbb286bfe9afab5",
        "SHA1": "95795d2aa2a554a423bc8c6e5b0a016d14887d35",
        "SHA256": "d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e",
        "SHA384": "78d972495720b43a6470b18ae1226bcca20707628087717a9364c14ca053ba264e6d149718b103542d9942200138a69d"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. , For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=Thawte Code Signing CA , G2,O=Thawte, Inc.,C=US",
      "SerialNumber": "72881f10cd248a33e61243a9e150ec1d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-08-28