bootx64[.]efi | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bootx64.efi
Size

68KB
MD5

c3910ac5e9b234740ce96893684f4afd
SHA1

68c5a06fd18df26b0218f226330ee8453443e617
SHA256

7f90209c37d323f150ef7a344f32de330959d23c3bba6727caf12077ed6430db
SHA512

1183b5118e070978ca43a5f8ab06985ac327ae4733cdc745321ea662364a73f54b52987f67dd835e20129824dc350b9879ad6e87e1ce109722e1f8cdbd0fc408
SSDEEP

768:chYtcGVh3qCkzg8M8SiMFlegWc073rHYOhV8RpSKY2GMk25XPoLEl2fCsqlQgREJ:IGupdMvv078OU7NjGMN6LCdnE/GpeR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bootx64.efi

Files

bootx64.efi
.dll windows:10 windows x64 arch:x64

b2b29a92ba51166bae112798b2eab93b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ExFreePoolWithTag
MmGetPhysicalAddress
MmIsAddressValid
PsGetProcessId
PsGetProcessImageFileName
PsGetProcessExitProcessCalled
PsGetProcessPeb
PsGetProcessWow64Process
PsInitialSystemProcess
PsLoadedModuleList
wcsstr
RtlInitUnicodeString
KeLowerIrql
KfRaiseIrql
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
IofCompleteRequest
IoReleaseRemoveLockEx
ObfDereferenceObject
NtReadFile
ObQueryNameString
PsGetThreadWin32Thread
ObReferenceObjectByName
IoDriverObjectType

Sections

.text
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE