efswrt[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

efswrt.dll
Size

604KB
MD5

d91bf25c82988f60c9b9ff17f4988234
SHA1

08a0101faaaac39a9eb62d4f61f0c8a551f4887b
SHA256

66426cbd88e62e794046007212c0fd9faf7c1d688b8d7e42c8eb7c8d4b060693
SHA512

717a99befb802daa42e6455d38f5e666266fe5231253ce923117c6641139c404ba34c3e7ed76be62c9478671596eeee47e873ac4cfe3439b58895aa60a116eea
SSDEEP

12288:vppyhzd95HyIYNey5acDs3nhXyAsjEMmyZJKy8oWR7Wp:Shzd95HyICey5assRCAsjEdyZJR8oWJ8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
efswrt.dll

Files

efswrt.dll
.dll windows:10 windows x86 arch:x86

89b0d925f63a3f063373ee0e9fff62a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

efswrt.pdb

Imports

msvcrt

_XcptFilter
memmove
memcpy
memcmp
_CxxThrowException
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_callnewh
_amsg_exit
free
_initterm
malloc
memmove_s
wcsrchr
_ui64tow_s
_purecall
?terminate@@YAXXZ
qsort
_wcsicmp
_vsnprintf_s
_lock
_unlock
__dllonexit
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
_onexit
??1exception@@UAE@XZ
??1type_info@@UAE@XZ
??3@YAXPAX@Z
??_V@YAXPAX@Z
realloc
wcstok_s
wcscpy_s
iswalpha
_wcsnicmp
wcsncmp
wcsstr
wcsnlen
wcschr
wcstoul
toupper
_except_handler4_common
memcpy_s
_vsnwprintf
__CxxFrameHandler3
memset

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
DisableThreadLibraryCalls
GetProcAddress
FreeLibrary
FindStringOrdinal
LoadLibraryExW
GetModuleHandleW
GetModuleFileNameA
GetModuleFileNameW
LoadStringW

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
WaitOnAddress
Sleep
SleepConditionVariableSRW
InitOnceExecuteOnce
WakeAllConditionVariable
WakeByAddressAll
InitOnceComplete

api-ms-win-core-synch-l1-1-0

ReleaseSemaphore
WaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateSemaphoreExW
CreateMutexW
TryAcquireSRWLockExclusive
InitializeCriticalSection
WaitForMultipleObjectsEx
WaitForSingleObjectEx
SetEvent
ReleaseSRWLockShared
CreateMutexExW
AcquireSRWLockShared
EnterCriticalSection
InitializeSRWLock
OpenSemaphoreW
LeaveCriticalSection
CreateEventExW
InitializeCriticalSectionEx
DeleteCriticalSection
TryAcquireSRWLockShared
TryEnterCriticalSection

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsCreateStringReference
HSTRING_UserFree
WindowsCreateString
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsDeleteString
HSTRING_UserUnmarshal
WindowsDuplicateString
WindowsGetStringLen
HSTRING_UserMarshal
HSTRING_UserSize

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetProcessId
OpenProcessToken
GetCurrentProcessId
OpenThreadToken
GetCurrentThread

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
SetRestrictedErrorInfo
RoTransformError
RoOriginateErrorW
GetRestrictedErrorInfo

api-ms-win-core-localization-l1-2-0

IdnToAscii
FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-eventing-provider-l1-1-0

EventProviderEnabled
EventSetInformation
EventUnregister
EventActivityIdControl
EventWriteTransfer
EventRegister

api-ms-win-core-com-l1-1-0

CoGetApartmentType
CoCreateInstance
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles
CoMarshalInterface
CoGetCallContext
CoReleaseMarshalData
CreateStreamOnHGlobal
CoMarshalInterThreadInterfaceInStream
CoIncrementMTAUsage
CoGetMalloc
CoGetCallerTID
CoDecrementMTAUsage
CoTaskMemAlloc
CoGetInterfaceAndReleaseStream
CoTaskMemFree
CoTaskMemRealloc

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExW
RegGetValueW
RegNotifyChangeKeyValue
RegCreateKeyExW
RegOpenCurrentUser
RegCloseKey

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWaitCallbacks
CreateThreadpoolWork
CreateThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolTimerCallbacks
CloseThreadpoolWork
FreeLibraryWhenCallbackReturns
CreateThreadpoolTimer
SubmitThreadpoolWork
CloseThreadpoolWait
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-file-l1-1-0

GetVolumePathNameW
FindNextFileW
FindClose
GetLongPathNameW
GetFullPathNameW
GetFileAttributesW
CreateFileW
FindFirstFileW
GetDriveTypeW

api-ms-win-security-base-l1-1-0

GetLengthSid
GetSidSubAuthority
CopySid
GetSidSubAuthorityCount
GetTokenInformation
RevertToSelf
EqualSid
ImpersonateLoggedOnUser
GetAce

rpcrt4

NdrDllCanUnloadNow
UuidFromStringW
NdrCStdStubBuffer_Release
NdrDllGetClassObject
UuidCreateNil
NdrCStdStubBuffer2_Release
CStdStubBuffer_QueryInterface
CStdStubBuffer_Invoke
NdrStubForwardingFunction
IUnknown_Release_Proxy
NdrStubCall2
IUnknown_AddRef_Proxy
NdrOleAllocate
CStdStubBuffer_AddRef
CStdStubBuffer_DebugServerQueryInterface
I_RpcBindingInqLocalClientPID
NdrOleFree
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect
CStdStubBuffer_CountRefs
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
IUnknown_QueryInterface_Proxy

api-ms-win-core-com-midlproxystub-l1-1-0

NdrProxyForwardingFunction3
ObjectStublessClient16
ObjectStublessClient10
ObjectStublessClient17
ObjectStublessClient9
ObjectStublessClient8
NdrProxyForwardingFunction5
ObjectStublessClient6
NdrProxyForwardingFunction4
ObjectStublessClient19
CStdStubBuffer2_QueryInterface
ObjectStublessClient13
ObjectStublessClient7
CStdStubBuffer2_Disconnect
ObjectStublessClient15
ObjectStublessClient20
ObjectStublessClient18
ObjectStublessClient3
CStdStubBuffer2_CountRefs
ObjectStublessClient11
ObjectStublessClient14
ObjectStublessClient12
CStdStubBuffer2_Connect

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-winrt-error-l1-1-1

RoReportFailedDelegate
IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-processthreads-l1-1-1

OpenProcess
GetProcessMitigationPolicy

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-file-l2-1-0

GetFileInformationByHandleEx

oleaut32

SysFreeString

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-core-file-l1-2-0

GetTempPathW
GetVolumeNameForVolumeMountPointW

api-ms-win-core-path-l1-1-0

PathIsUNCEx
PathCchSkipRoot
PathCchRemoveFileSpec

mpr

WNetGetUniversalNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindExtensionW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrStrIW

api-ms-win-core-winrt-robuffer-l1-1-0

RoGetBufferMarshaler

api-ms-win-appmodel-runtime-l1-1-0

PackageFamilyNameFromFullName
GetPackageFullName
GetPackageFamilyName
PackageNameAndPublisherIdFromFamilyName
GetPackagesByPackageFamily

api-ms-win-appmodel-runtime-l1-1-1

GetPackageFullNameFromToken

api-ms-win-core-marshal-l1-1-0

HWND_UserFree
HWND_UserUnmarshal
HWND_UserSize
HWND_UserMarshal

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-appmodel-runtime-internal-l1-1-3

CouldMultiUserAppsBehaviorBePossibleForPackage

combase

ord90
ord157
ord148

ntdll

NtOpenFile
NtOpenThreadToken
NtDuplicateObject
NtClose
NtDeviceIoControlFile
NtSetInformationThread
NtDuplicateToken
NtOpenProcessToken
RtlCompareMemory
NtQuerySecurityAttributesToken
RtlFreeHeap
RtlCopyUnicodeString
RtlAllocateHeap
RtlCompareUnicodeString
RtlQueryPackageClaims
RtlNtStatusToDosError
RtlIsMultiSessionSku
NtFsControlFile
RtlGetDaclSecurityDescriptor
NtQuerySecurityObject
ZwQueryWnfStateData
RtlCreateAcl
RtlAddAccessAllowedAce
RtlLengthSid
RtlAddAce
NtSetSecurityObject
RtlQueryInformationAcl
RtlGetAce
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
RtlPublishWnfStateData
RtlUnsubscribeWnfNotificationWaitForCompletion
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
ZwQueryInformationToken
RtlConvertSidToUnicodeString
ZwOpenThreadTokenEx
ZwClose
ZwOpenProcessTokenEx
ZwQueryInformationProcess
RtlFreeUnicodeString
RtlCreateSecurityDescriptor

api-ms-win-service-private-l1-1-0

I_QueryTagInformation

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

CdplGetFileProtectionLevel
CdplIsAppAllowedToRun
CdplIsAppDataProtectionSupported
CdplIsSupported
CdplProtectFileToLevel
CdplProtectFileToLevelWithResult
CdplProtectKnownUserFolders
CdplProtectSecretToLevel
CdplUnprotectSecret
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DpmBufferFree
DpmProtectSecretToIdentity
DpmStreamClose
DpmStreamOpenToProtectToIdentity
DpmStreamOpenToUnprotect
DpmStreamUpdate
DpmUnprotectSecret
EnterpriseDataCopyProtection
EnterpriseDataGetStatus
EnterpriseDataProtect
EnterpriseDataRevoke
FreeIdentityProtectorList
GetEnterpriseActionForCopy
GetEnterpriseIdForNetworkPath
ProtectFileToEnterpriseIdentity
ProtectFileToIdentity
ProtectOrReprotectFileToIdentity
QueryIdentityProtectors
UnprotectFile

Sections

.text
Size: 540KB - Virtual size: 539KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 548B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

89b0d925f63a3f063373ee0e9fff62a8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-file-l2-1-0

oleaut32

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-path-l1-1-0

mpr

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-core-winrt-robuffer-l1-1-0

api-ms-win-appmodel-runtime-l1-1-0

api-ms-win-appmodel-runtime-l1-1-1

api-ms-win-core-marshal-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-appmodel-runtime-internal-l1-1-3

combase

ntdll

api-ms-win-service-private-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 540KB - Virtual size: 539KB

.data Size: 2KB - Virtual size: 3KB

.idata Size: 13KB - Virtual size: 12KB

.didat Size: 1024B - Virtual size: 548B

.rsrc Size: 6KB - Virtual size: 5KB

.reloc Size: 41KB - Virtual size: 40KB

.text
Size: 540KB - Virtual size: 539KB

.data
Size: 2KB - Virtual size: 3KB

.idata
Size: 13KB - Virtual size: 12KB

.didat
Size: 1024B - Virtual size: 548B

.rsrc
Size: 6KB - Virtual size: 5KB

.reloc
Size: 41KB - Virtual size: 40KB