bcdboot[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bcdboot.exe
Size

252KB
MD5

d80ea1f683c62426a1250796197c3139
SHA1

ff29fbaadfd2f7033e51496885739cdc959d019f
SHA256

1ff0d2d9508cb578d9387e60108ee08c4ca4bd7799422954c8bd089aca041f87
SHA512

53a8ff3f5c56c75745f947bc69f0753d388ec6b11d1f14b2fff6088ea8492fc4137686515bb3af94778a1ee89786032a1a5a7a7fbcedeab447417953a85b04b4
SSDEEP

3072:ywPL8wbtvxgdlnY/3soVXIEH9UWJt+0dSr1eSeRRjJUJoBuRCwD:3P1vx4YB/HDJdSr1qxWP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bcdboot.exe

Files

bcdboot.exe
.exe windows:10 windows x64 arch:x64

a12c474d8d53fd51c10c5b915bdac3e3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_wcsicmp
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
memmove
_cexit
_exit
exit
__set_app_type
_initterm
memcpy
memcmp
__wgetmainargs
_amsg_exit
_XcptFilter
fwprintf
_wsetlocale
wcscpy_s
fflush
swprintf_s
__setusermatherr
strncmp
strcpy_s
wcsnlen
wcsstr
_wcslwr
_snwscanf_s
wcsncpy_s
wcstoul
_ultow_s
wcsncmp
wcschr
_vsnwprintf_s
fclose
_wfopen_s
wcscat_s
_wcsupr
wcsrchr
_wcsnicmp
_vsnwprintf
__iob_func
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

kernel32

LoadLibraryW
HeapAlloc
WriteConsoleW
GetProcAddress
GetProcessHeap
FreeLibrary
WideCharToMultiByte
GetFileType
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
QueryDosDeviceW
GetFileSizeEx
DeviceIoControl
GetVolumePathNameW
CreateFileW
UnmapViewOfFile
GetVolumeNameForVolumeMountPointW
GetCurrentThread
GetConsoleMode
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetVolumeInformationW
FindFirstFileW
FindNextFileW
GetModuleFileNameW
WriteFile
GetStdHandle
GetPrivateProfileSectionW
FindClose
GetFileAttributesW
GetConsoleOutputCP
SetFileAttributesW
MoveFileExW
HeapFree
GetLastError
GetLogicalDrives
FindFirstVolumeW
SetVolumeMountPointW
LocalFree
FindVolumeClose
DeleteVolumeMountPointW
FindNextVolumeW
LoadLibraryExW
SetLastError
CreateDirectoryW
FormatMessageW
LoadResource
FindResourceExW
LCIDToLocaleName
GetVersionExW
GetUserDefaultUILanguage
GetModuleHandleExW
GetLocaleInfoEx
GetSystemDefaultUILanguage
GetFileInformationByHandleEx
GetFileInformationByHandle
SetFileInformationByHandle
DeleteFileW
CopyFileExW
GetFullPathNameW
GetLongPathNameW
GetLocaleInfoW
LocaleNameToLCID
CloseHandle
SearchPathW

advapi32

EventRegister
EventUnregister
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
SetNamedSecurityInfoW
GetSecurityDescriptorControl
RegQueryValueExW
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
EventWriteTransfer
RegCloseKey
RegOpenKeyExW

shlwapi

PathRemoveBackslashW

ntdll

ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenSymbolicLinkObject
RtlSetDaclSecurityDescriptor
NtOpenKey
NtQuerySymbolicLinkObject
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
RtlFreeSid
RtlCreateAcl
RtlCreateSecurityDescriptor
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
ZwCreateFile
ZwCreateKey
ZwQueryKey
ZwFlushKey
ZwDeleteValueKey
ZwSaveKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
RtlImpersonateSelf
ZwLoadKey
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwQuerySystemInformation
RtlAllocateHeap
LdrAccessResource
LdrFindResource_U
RtlCompareMemory
RtlFreeHeap
RtlStringFromGUID
NtSetInformationFile
RtlFreeUnicodeString
NtQuerySystemInformation
NtOpenFile
NtWaitForSingleObject
RtlNtStatusToDosError
NtQueryInformationThread
NtQueryInformationFile
NtCreateEvent
NtClose
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
NtWriteFile
RtlInitUnicodeString
RtlGUIDFromString
ZwWaitForSingleObject

Sections

.text
Size: 148KB - Virtual size: 144KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a12c474d8d53fd51c10c5b915bdac3e3

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

rpcrt4

imagehlp

kernel32

advapi32

shlwapi

ntdll

Sections

.text Size: 148KB - Virtual size: 144KB

.rdata Size: 76KB - Virtual size: 74KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 12KB - Virtual size: 11KB

.reloc Size: 4KB - Virtual size: 196B

.text
Size: 148KB - Virtual size: 144KB

.rdata
Size: 76KB - Virtual size: 74KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 12KB - Virtual size: 11KB

.reloc
Size: 4KB - Virtual size: 196B