bcdboot[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

bcdboot.exe
Size

188KB
MD5

be14be7c8f7f0f4e397b89979cb9cf6b
SHA1

7f59be597069c91c8caddf08d12ba8fbbd65b66f
SHA256

309f3eccb0093cc6cc98f858bd3ce67b00bb810728ffb177b7bd287fb3c92b97
SHA512

0cf26478d1b80a6b68853e298e944bce6d2e21fbbe7a6711ddaa66e2b9f2bca0f941a6ee2f694b05d5b7588339181104d1b74fd49a991e2cb0e86b72e124b7cc
SSDEEP

3072:JwOQQMWHjqtcrwZjKHiqbuFoZV+S8e5lmOoeLD8JgETi9:WBQMWHjqS0ZuCaNV/GeEiETi9

Score

1^/10

Malware Config

Signatures

Files

bcdboot.exe
.exe windows x64

9517567887d29e8a932036effb134d66

Code Sign

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/10/2015, 18:14

Not After

07/01/2017, 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

Actual PE Digest

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8

Digest Algorithm

sha256

PE Digest Matches

true

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

Actual PE Digest

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
GetVolumeNameForVolumeMountPointW
FindFirstFileW
MoveFileExW
GetFileAttributesW
GetUserDefaultUILanguage
GetVersionExW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW
CreateDirectoryW
GetFileInformationByHandle
DeviceIoControl
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeInformationW
SetFileAttributesW
GetPrivateProfileSectionW
FindNextFileW
FindClose
GetLastError

msvcrt

wcstoul
wcscat_s
_ultow_s
wcsncpy_s
wcsstr
_wcslwr
memset
_snwscanf_s
strncmp
wcsncmp
bsearch
__iob_func
memcmp
memcpy
wcschr
_vsnwprintf_s
fflush
fwprintf
_vsnwprintf
wcsnlen
wcsrchr
memmove
_wcsupr
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
wcscpy_s
_wsetlocale
_wcsicmp
swprintf_s
_wcsnicmp

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtEnumerateBootEntries
NtOpenDirectoryObject
NtQueryDirectoryObject
NtTranslateFilePath
NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ZwCreateEvent
NtAdjustPrivilegesToken
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenProcessTokenEx
LdrGetDllHandle
LdrGetProcedureAddress
RtlInitAnsiString
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
ZwDeleteKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwSaveKey
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
ZwCreateKey
ZwUnloadKey
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwOpenFile
ZwClose
ZwWaitForSingleObject
ZwReleaseMutant
ZwOpenMutant
ZwQuerySystemInformation
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlStringFromGUID
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGUIDFromString
RtlInitUnicodeString
NtQueryBootEntryOrder

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9517567887d29e8a932036effb134d66

Code Sign

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8bCertificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7bCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8Signer

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

rpcrt4

imagehlp

shlwapi

ntdll

advapi32

Sections

.text Size: 100KB - Virtual size: 99KB

.rdata Size: 59KB - Virtual size: 59KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 2KB - Virtual size: 1KB

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 59KB - Virtual size: 59KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 2KB - Virtual size: 1KB