bfsvc[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

bfsvc.exe
Size

108KB
MD5

aec2ae40f01d8f2a9f159de1fdc4961d
SHA1

6bb23e99504f2a01af96308cdd4908e5a0859432
SHA256

71bdc378d175b6b2df23f5f8d394e5e90805a4e0b3e346588dc7dfe14de3dcfa
SHA512

268bda90710fcef2c6e22552968557afaa18aa1669de6d225c41ce919ed70539aed0d6fa7204282abcc7695226278c6f646fed886c256c9ca4c6e6f8760a9869
SSDEEP

1536:p3MUZobpQ76GHedxqgX65XDd2QKXWmxYej4eBK0v:tSplGHevPX65XDdov+ejHoe

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bfsvc.exe

Files

bfsvc.exe
.exe windows:10 windows x64 arch:x64

4f5a2ab974ab5b0fcfe38aac2a4c390c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

wcsstr
_wcsicmp
wcsnlen
__iob_func
_wcslwr
memcpy
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
wcsncmp
exit
swprintf_s
fwprintf
_vsnwprintf_s
fflush
wcschr
wcsrchr
_wcsnicmp
_vsnwprintf
__set_app_type
__wgetmainargs
_snwscanf_s
_amsg_exit
_XcptFilter
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

ntdll

NtEnumerateBootEntries
NtQueryDirectoryObject
NtOpenDirectoryObject
NtTranslateFilePath
NtQueryBootOptions
NtQueryBootEntryOrder
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenKey
NtOpenSymbolicLinkObject
RtlImpersonateSelf
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtAdjustPrivilegesToken
RtlFreeHeap
RtlAllocateHeap
NtSetInformationFile
LdrAccessResource
LdrFindResource_U
NtOpenFile
NtQueryInformationThread
NtQueryInformationFile
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtClose
RtlInitUnicodeString
NtWriteFile
NtQuerySystemInformation
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
TerminateProcess
GetCurrentProcessId
OpenProcessToken
GetStartupInfoW
GetCurrentProcess
OpenThreadToken
GetCurrentThreadId

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

GetFullPathNameW
GetLongPathNameW
FlushFileBuffers
DeleteFileW
GetVolumeInformationW
FindFirstFileW
GetFileSizeEx
CreateDirectoryW
FindNextFileW
WriteFile
SetFileInformationByHandle
GetFileAttributesW
SetFileAttributesW
FindClose
GetVolumePathNameW
GetFileInformationByHandle
CreateFileW

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-privateprofile-l1-1-0

GetPrivateProfileSectionW

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l2-1-0

MoveFileExW
CopyFileExW
GetFileInformationByHandleEx

api-ms-win-core-shlwapi-legacy-l1-1-0

PathRemoveBackslashW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorSacl
GetTokenInformation
AdjustTokenPrivileges
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-security-provider-l1-1-0

SetNamedSecurityInfoW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

Sections

.text
Size: 52KB - Virtual size: 50KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4f5a2ab974ab5b0fcfe38aac2a4c390c

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

rpcrt4

imagehlp

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

Sections

.text Size: 52KB - Virtual size: 50KB

.rdata Size: 36KB - Virtual size: 32KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 1KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 76B

.text
Size: 52KB - Virtual size: 50KB

.rdata
Size: 36KB - Virtual size: 32KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 76B