efsutil[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

efsutil.dll
Size

24KB
MD5

359c3ac547aa1d24eed35be3ab3759dc
SHA1

bacf85dbdea7b95255845755925b72d0650c7111
SHA256

5b9dfacd8b0704f8ec101d4de36d0e720c1e272f18b07683b80d740ca0b55e6d
SHA512

a118e988e6f3d15851f7ef3f4da5d1a64090b0bd562921744d18339463b6f62dfaa0993a9e01abe1629f07931c69aa44623258fcb000e442c6145b5ce570dd53
SSDEEP

384:gaQeZiU61hHjd0vIoGxWCwtWtouhLaI8xKWtIv+ylXxVA2D66bVsqZfHqWwfdW:NQecRBWuhLaL8Wa3vzG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
efsutil.dll

Files

efsutil.dll
.dll windows:6 windows x86 arch:x86

0debeec4343a10bc73e65bc2f44d4281

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

efsutil.pdb

Imports

msvcrt

memset
_XcptFilter
malloc
free
_except_handler4_common
memcpy
_amsg_exit
_initterm

ntdll

RtlUnicodeStringToAnsiString
RtlInitUnicodeString
ord1
RtlNtStatusToDosError

api-ms-win-core-localregistry-l1-1-0

RegGetValueW
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey

api-ms-win-core-processthreads-l1-1-0

OpenThreadToken
GetCurrentThread
GetCurrentThreadId
TerminateProcess
OpenProcessToken
GetCurrentProcess
GetCurrentProcessId

api-ms-win-security-base-l1-1-0

GetTokenInformation
DuplicateToken

kernel32

GetSystemTime
DelayLoadFailureHook
GetProcAddress
FreeLibrary
InterlockedCompareExchange
LoadLibraryExA
SystemTimeToFileTime
Sleep
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
HeapFree
InterlockedExchange
FileTimeToSystemTime
GetProcessHeap
GetLastError
LocalFree
LocalAlloc
CloseHandle
HeapAlloc

Exports

Exports

EfsUtilApplyGroupPolicy
EfsUtilCheckCurrentKeyCapabilities
EfsUtilCreateSelfSignedCertificate
EfsUtilGetCertContextFromCertHash
EfsUtilGetCurrentKey
EfsUtilGetCurrentKey_Deprecated
EfsUtilGetCurrentUserInformation
EfsUtilGetProvider
EfsUtilGetSmartcardProviderName
EfsUtilGetUserKey
EfsUtilIsSmartcardKey
EfsUtilIsSmartcardProvider
EfsUtilReleaseProvider
EfsUtilReleaseUserKey
EfsUtilSetCurrentKey
EfsUtilSetSmartcardPin
EfsUtilSmartcardCredsNeededError

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0debeec4343a10bc73e65bc2f44d4281

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-localregistry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-base-l1-1-0

kernel32

Exports

Exports

Sections

.text Size: 20KB - Virtual size: 19KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 20KB - Virtual size: 19KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 1KB - Virtual size: 1KB