9164d869-3953-40eb-91e4-26a837e3aacc

bootmgfw.efi

Description

This was provided by Microsoft and revoked May-23

UUID: 9164d869-3953-40eb-91e4-26a837e3aacc
Created: 2023-05-22
Author: Michael Haag
Acknowledgement: |

This download link contains the Revoked Bootloader!

Commands


          1
          bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootmgfw.efi } }

not set

Use Case	Privileges	Operating System
Persistence		32-bit

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed bootloader files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://uefi.org/revocationlistfile

https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

CVE

Black Lotus Microsoft Windows 8.1

Known Vulnerable Samples

Property	Value
Filename	bootmgfw.efi
MD5	c6697cdbcf51cc54053438e644243327
SHA1	056c3b1ab4f9b248ffc5285f299a2653839357f2
SHA256	1eadf7bf5fde916884a4beb82dd68ba50be05413f00aae8571190a2eaa462640
Authentihash MD5	e518520c0709c922714f016a9ec3d893
Authentihash SHA1	3ef1fcd520f386618b77de8759b40d169b042708
Authentihash SHA256	05729029ef940c5e6ee96b3b1253c08783c01329bce2e9951bc22a09223fc15c
RichPEHeaderHash MD5	c3a45277e34522772d2ffb9c618850dd
RichPEHeaderHash SHA1	ccaa1ad0944140bed3cf64cdaf8c9d2004c29074
RichPEHeaderHash SHA256	474fc92022c5254d909bd3560e682dc6a340333b34b82d63e8b9a575cf09b292
Company	Microsoft Corporation
Description	Boot Manager
Product	Microsoft® Windows® Operating System
OriginalFilename	bootmgr.exe

Certificates

Expand

Certificate 330000033c89c66a7b45bb1fbd00000000033c

Field	Value
ToBeSigned (TBS) MD5	46f57c3b860b08484cb79066ac1014ad
ToBeSigned (TBS) SHA1	c1fe3ab97b834a98460e4ae92fe2468d16f61a92
ToBeSigned (TBS) SHA256	d78e6b22fec42de5200f6c56731dd6742c79fa2bf7c01c8dc04d3d5738474c9b
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows
ValidFrom	2021-09-02 18:23:41
ValidTo	2022-09-01 18:23:41
Signature	699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	False
SerialNumber	330000033c89c66a7b45bb1fbd00000000033c
Version	3

Certificate 61077656000000000008

Field	Value
ToBeSigned (TBS) MD5	30a3f0b64324ed7f465e7fc618cb69e7
ToBeSigned (TBS) SHA1	002de3561519b662c5e3f5faba1b92c403fb7c41
ToBeSigned (TBS) SHA256	4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146
Subject	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
ValidFrom	2011-10-19 18:41:42
ValidTo	2026-10-19 18:51:42
Signature	14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e
SignatureAlgorithmOID	1.2.840.113549.1.1.11
IsCertificateAuthority	True
SerialNumber	61077656000000000008
Version	3

Imports

Expand

Imports

Expand

ImportedFunctions

Expand

ExportedFunctions

Expand

Signature

Expand


          1
          {
        
          2
          "Certificates": [
        
          3
          {
        
          4
          "IsCertificateAuthority": false,
        
          5
          "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c",
        
          6
          "Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e",
        
          7
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
        
          8
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
        
          9
          "TBS": {
        
          10
          "MD5": "46f57c3b860b08484cb79066ac1014ad",
        
          11
          "SHA1": "c1fe3ab97b834a98460e4ae92fe2468d16f61a92",
        
          12
          "SHA256": "d78e6b22fec42de5200f6c56731dd6742c79fa2bf7c01c8dc04d3d5738474c9b"
        
          13
          },
        
          14
          "ValidFrom": "2021-09-02 18:23:41",
        
          15
          "ValidTo": "2022-09-01 18:23:41",
        
          16
          "Version": 3
        
          17
          },
        
          18
          {
        
          19
          "IsCertificateAuthority": true,
        
          20
          "SerialNumber": "61077656000000000008",
        
          21
          "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
        
          22
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
        
          23
          "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
        
          24
          "TBS": {
        
          25
          "MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
        
          26
          "SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
        
          27
          "SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146"
        
          28
          },
        
          29
          "ValidFrom": "2011-10-19 18:41:42",
        
          30
          "ValidTo": "2026-10-19 18:51:42",
        
          31
          "Version": 3
        
          32
          }
        
          33
          ],
        
          34
          "CertificatesInfo": "",
        
          35
          "Signer": [
        
          36
          {
        
          37
          "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
        
          38
          "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c",
        
          39
          "Version": 1
        
          40
          }
        
          41
          ],
        
          42
          "SignerInfo": ""
        
          43
          }

...

not set

source

last_updated: 2023-08-31