bcdedit[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bcdedit.exe
Size

341KB
MD5

d5f797fc4d5434eb677a09c143962231
SHA1

ff829d4f431715b27547e862a9d4d65764e5c35e
SHA256

85a43c95bc60213353be0960cc2947b8f458b6470c683fe18f35e0469c47d2d1
SHA512

188dbf3dd6eb171ff60634feac855d1df1801230bf96c06d39bfe1196aada4385f9ba4bdc48fdbbd8a31e7c8a60f5a6f9999e91e95199b33001cc76c858aac80
SSDEEP

3072:322q+HRw3etMbIFb9qYRDsxc8XDwHLFIEf9Ox2tV0uRhdNV/ysXo3HD62xKe1P/z:3K3etM8FbvDsxlz+5l0m

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bcdedit.exe

Files

bcdedit.exe
.exe windows:6 windows x64

8fbe33e1dd6b0213c53daa4759b7b7c2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

kernel32

GetStdHandle
GetFileType
GetConsoleMode
WriteConsoleW
GetConsoleOutputCP
WideCharToMultiByte
WriteFile
CreateFileW
CloseHandle
DeviceIoControl
FormatMessageW
LocalFree
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary
SetLastError
QueryDosDeviceW
CreateFileMappingW
GetVersionExW
GetLocaleInfoW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
UnmapViewOfFile
MapViewOfFile
SearchPathW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
RtlCompareMemory
GetLastError
GetUserDefaultUILanguage

msvcrt

?terminate@@YAXXZ
memcpy
memcmp
memset
bsearch
wcsncmp
_snwscanf_s
_wcslwr
_wcsupr
wcsnlen
strncmp
wcsstr
wcsrchr
wcsncpy_s
wcscat_s
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_wsetlocale
towupper
iswspace
_vsnwprintf
swprintf_s
wcschr
wcscpy_s
_ultow_s
_ui64tow_s
_wcstoui64
wcstoul
_wcsnicmp
_wcsicmp
memmove

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtClose
NtOpenFile
RtlStringFromGUID
RtlGUIDFromString
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlFreeUnicodeString
ZwOpenMutant
ZwReleaseMutant
ZwWaitForSingleObject
ZwClose
ZwOpenFile
RtlAllocateHeap
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwUnloadKey
ZwCreateKey
RtlCreateAcl
RtlFreeSid
RtlSetDaclSecurityDescriptor
ZwDeleteValueKey
ZwSetValueKey
ZwSaveKey
ZwCreateFile
ZwQueryValueKey
RtlLengthSecurityDescriptor
ZwSetSecurityObject
RtlAddAccessAllowedAceEx
ZwLoadKey
RtlAllocateAndInitializeSid
ZwDeleteKey
ZwEnumerateKey
RtlLengthSid
RtlCreateSecurityDescriptor
ZwQueryKey
ZwOpenKey
RtlSetOwnerSecurityDescriptor
RtlInitAnsiString
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryVolumeInformationFile
ZwDeleteFile
ZwQueryInformationFile
NtOpenProcessTokenEx
NtSetInformationThread
RtlImpersonateSelf
NtOpenThreadTokenEx
NtAdjustPrivilegesToken
ZwCreateEvent
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwDeviceIoControlFile
ZwResetEvent
NtQuerySystemInformation
ZwAllocateUuids
NtOpenKey
NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtWaitForSingleObject
NtCreateEvent
NtQueryValueKey
NtSetValueKey
NtResetEvent
NtQueryBootEntryOrder
NtTranslateFilePath
NtCreateKey
NtEnumerateBootEntries
NtSetSecurityObject
NtDeleteKey
RtlFreeHeap
RtlNtStatusToDosError
ZwQuerySystemInformation

Sections

.text
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 147KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8fbe33e1dd6b0213c53daa4759b7b7c2

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

Sections

.text Size: 179KB - Virtual size: 179KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 3KB - Virtual size: 3KB

.idata Size: 6KB - Virtual size: 5KB

.rsrc Size: 147KB - Virtual size: 147KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 179KB - Virtual size: 179KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 3KB - Virtual size: 3KB

.idata
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 147KB - Virtual size: 147KB

.reloc
Size: 3KB - Virtual size: 2KB