ec_efi[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ec_efi.zip
Size

71KB
MD5

bfac973057347eae01b6783cfbb7b2db
SHA1

66f211e574446b29f0333f2c8770923c86c34373
SHA256

48340416a009d8a2002e9c89e11e6fd3f1fc0c79cb459a7d47c8d47e05f000c9
SHA512

40fd782c3ae6b62b918090ff36db973c9a9d5d08d72631b2fff6557499982e8f0d07c10db767f0f78d87d853a18d1de827043bec75dab8b31c5e449e86a76947
SSDEEP

768:GqyunCogf6e8iozvvpmACiIC7195HqV952s9zmIoCr/SDUxYG7NVP3W0J8FV4Dyy:Hemz34RiL/052sfz+8jLPmuoyeebE6t

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/HVCI/EFI/BOOT/bootx64.efi

Files

ec_efi.zip
.zip
COMPATIBILITY/EFI/BOOT/bootx64.efi
.dll windows:10 windows x64 arch:x64

b2b29a92ba51166bae112798b2eab93b

Code Sign

18:91:69:9e:df:89:6a:ae:44:63:35:8f:c2:4d:5c:00
Certificate

Issuer

CN=WDKTestCert Juho\,133554283027714272

Not Before

20/03/2024, 17:11

Not After

20/03/2034, 00:00

Subject

CN=WDKTestCert Juho\,133554283027714272

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageKeyEncipherment
KeyUsageDataEncipherment

5e:61:59:55:00:2f:b7:bb:5e:de:0b:af:df:8d:cd:dc:d0:cd:67:30:d9:dd:ae:04:b6:18:c6:46:93:34:42:5b
Signer

Actual PE Digest

5e:61:59:55:00:2f:b7:bb:5e:de:0b:af:df:8d:cd:dc:d0:cd:67:30:d9:dd:ae:04:b6:18:c6:46:93:34:42:5b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ExFreePoolWithTag
MmGetPhysicalAddress
MmIsAddressValid
PsGetProcessId
PsGetProcessImageFileName
PsGetProcessExitProcessCalled
PsGetProcessPeb
PsGetProcessWow64Process
PsInitialSystemProcess
PsLoadedModuleList
wcsstr
RtlInitUnicodeString
KeLowerIrql
KfRaiseIrql
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
IofCompleteRequest
IoReleaseRemoveLockEx
ObfDereferenceObject
NtReadFile
ObQueryNameString
PsGetThreadWin32Thread
ObReferenceObjectByName
IoDriverObjectType

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
HVCI/EFI/BOOT/bootx64.efi
.dll windows:10 windows x64 arch:x64

b2b29a92ba51166bae112798b2eab93b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ExFreePoolWithTag
MmGetPhysicalAddress
MmIsAddressValid
PsGetProcessId
PsGetProcessImageFileName
PsGetProcessExitProcessCalled
PsGetProcessPeb
PsGetProcessWow64Process
PsInitialSystemProcess
PsLoadedModuleList
wcsstr
RtlInitUnicodeString
KeLowerIrql
KfRaiseIrql
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
IofCompleteRequest
IoReleaseRemoveLockEx
ObfDereferenceObject
NtReadFile
ObQueryNameString
PsGetThreadWin32Thread
ObReferenceObjectByName
IoDriverObjectType

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

b2b29a92ba51166bae112798b2eab93b

Code Sign

18:91:69:9e:df:89:6a:ae:44:63:35:8f:c2:4d:5c:00Certificate

Extended Key Usages

Key Usages

5e:61:59:55:00:2f:b7:bb:5e:de:0b:af:df:8d:cd:dc:d0:cd:67:30:d9:dd:ae:04:b6:18:c6:46:93:34:42:5bSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 58KB - Virtual size: 57KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 1024B - Virtual size: 824B

b2b29a92ba51166bae112798b2eab93b

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 59KB - Virtual size: 58KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 1024B - Virtual size: 824B

18:91:69:9e:df:89:6a:ae:44:63:35:8f:c2:4d:5c:00
Certificate

5e:61:59:55:00:2f:b7:bb:5e:de:0b:af:df:8d:cd:dc:d0:cd:67:30:d9:dd:ae:04:b6:18:c6:46:93:34:42:5b
Signer

.text
Size: 58KB - Virtual size: 57KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 1024B - Virtual size: 824B

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 1024B - Virtual size: 824B