bcdboot[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bcdboot.exe
Size

242KB
MD5

238d661d9f978588c3ffff5ddbe10c3d
SHA1

7860ed7ae4e758acbbb803e6aff0a6ccf3c02bdc
SHA256

340b7df12c0afc58708a5adba76e702613dee6c8c30399920efe72146e7e44d7
SHA512

2d64267b4ba4d91ddf555ebf6b07a5f5f3a11fd327146d6a17d8168d6f73cfdf41587c40bc6c3ce9505f8a72cdd335b8b15d321af7d59c055ee8a406a8e5fb4e
SSDEEP

3072:l5yO4LP6gg/uYuMeyoRJLc15QIvoKHcfAn8L2eoH0vuHimNdE:l5yO+6luYfGLWoKHIAn8wuYN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bcdboot.exe

Files

bcdboot.exe
.exe windows x64

9fcfe0ef5d3b0f8a151d4bb5844796d6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

?terminate@@YAXXZ
_commode
_wcsicmp
_fmode
__C_specific_handler
memmove
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_initterm
memcpy
memcmp
_XcptFilter
fwprintf
_wsetlocale
wcscpy_s
fflush
swprintf_s
__setusermatherr
bsearch
wcsncmp
strncmp
strcpy_s
wcsnlen
wcsstr
_wcslwr
_snwscanf_s
wcsncpy_s
wcstoul
_ultow_s
wcschr
_vsnwprintf_s
fclose
_wfopen_s
wcscat_s
_wcsupr
wcsrchr
_wcsnicmp
_vsnwprintf
__iob_func
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

kernel32

LoadLibraryW
HeapAlloc
WriteConsoleW
GetProcAddress
GetProcessHeap
FreeLibrary
WideCharToMultiByte
GetFileType
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
QueryDosDeviceW
GetFileSizeEx
DeviceIoControl
GetVolumePathNameW
CreateFileW
UnmapViewOfFile
GetConsoleMode
GetCurrentThread
CloseHandle
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetVolumeInformationW
FindFirstFileW
FindNextFileW
GetModuleFileNameW
WriteFile
GetStdHandle
GetPrivateProfileSectionW
FindClose
GetFileAttributesW
GetConsoleOutputCP
SetFileAttributesW
MoveFileExW
HeapFree
SearchPathW
GetLogicalDrives
FindFirstVolumeW
SetVolumeMountPointW
LocalFree
FindVolumeClose
DeleteVolumeMountPointW
FindNextVolumeW
LoadLibraryExW
GetLastError
CreateDirectoryW
SetLastError
FormatMessageW
LoadResource
FindResourceExW
GetVersionExW
GetModuleHandleExW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetFileInformationByHandleEx
GetFileInformationByHandle
SetFileInformationByHandle
DeleteFileW
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeNameForVolumeMountPointW

advapi32

EventRegister
EventUnregister
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
RegQueryValueExW
SetNamedSecurityInfoW
GetSecurityDescriptorControl
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
EventWriteTransfer
RegCloseKey
RegOpenKeyExW

shlwapi

PathRemoveBackslashW

ntdll

ZwQueryKey
ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenSymbolicLinkObject
RtlSetDaclSecurityDescriptor
NtOpenKey
NtQuerySymbolicLinkObject
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
RtlFreeSid
RtlCreateAcl
RtlCreateSecurityDescriptor
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
ZwCreateFile
ZwWaitForSingleObject
ZwLoadKey
ZwFlushKey
ZwDeleteValueKey
ZwSaveKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
RtlImpersonateSelf
ZwCreateKey
RtlAppendUnicodeToString
ZwQuerySystemInformation
RtlAllocateHeap
LdrAccessResource
LdrFindResource_U
RtlCompareMemory
RtlFreeHeap
RtlStringFromGUID
NtSetInformationFile
RtlFreeUnicodeString
NtQuerySystemInformation
NtOpenFile
NtWaitForSingleObject
RtlNtStatusToDosError
NtQueryInformationThread
NtQueryInformationFile
NtCreateEvent
NtClose
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
NtWriteFile
RtlInitUnicodeString
RtlGUIDFromString
ZwQueryAttributesFile

Sections

.text
Size: 137KB - Virtual size: 136KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9fcfe0ef5d3b0f8a151d4bb5844796d6

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

rpcrt4

imagehlp

kernel32

advapi32

shlwapi

ntdll

Sections

.text Size: 137KB - Virtual size: 136KB

.rdata Size: 86KB - Virtual size: 86KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 137KB - Virtual size: 136KB

.rdata
Size: 86KB - Virtual size: 86KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 2KB - Virtual size: 1KB