"WinRing0.sys" Description and Details Update #253
Description
Hello!
I’m submitting this vulnerable driver update on behalf of ReliaQuest.
Throughout multiple investigations, we have observed repeated loads of the WinRing0 kernel driver; however, it is rarely deployed on disk as WinRing0.sys. In most cases, the same driver lineage appears under alternate filenames (most commonly OpenHardwareMonitorLib.sys) which can make identification difficult and can lead to issues when attempts to detect/block the file from loading are made.
Based on our research and OSINT, the following hashes have been observed for this driver family in environments where it is loaded:
SHA256: 206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597 (commonly observed as OpenHardwareMonitorLib.sys)
SHA256: 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 (commonly labeled as WinRing0.sys, also observed in the wild as OpenHardwareMonitorLib.sys)
If possible, it may be beneficial to treat WinRing0/OpenLibSys-derived drivers as a family and account for known alternate filenames (not solely WinRing0.sys).