efswrt[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

efswrt.dll
Size

137KB
MD5

c3cf9bcec9631f4922495384e7b1c3f8
SHA1

75ad7969b7c614c69f5e177ee5eeb0aaaf7a837b
SHA256

d35741b588d87bf729705619164c7cfab4cd821988f48b5401110c09b2ef89ae
SHA512

7b019a74912e9aa4030c2e615e0c2e780b8dae2ddacbff4a8acc107f67cca92a5767824805b3019d7a724944411c9968f2e6ff45deaca5ebb6904b0928a29f6b
SSDEEP

3072:VeOUN2p8C+Uzi3bKBIi4q8rDfJuXHoWxzDhOnWwUt:QOUN2p8U+3bBn1An1DhzwU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
efswrt.dll

Files

efswrt.dll
.dll windows:6 windows x64 arch:x64

fb5555cf3e2f8a1b1a8458540d2c0c07

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

efswrt.pdb

Imports

msvcrt

??1type_info@@UEAA@XZ
wcschr
_wcsnicmp
memcmp
wcsncmp
??2@YAPEAX_K@Z
_onexit
__dllonexit
_unlock
_lock
_initterm
_amsg_exit
_XcptFilter
_wcsicmp
??3@YAXPEAX@Z
_vsnwprintf
??1exception@@UEAA@XZ
__CxxFrameHandler3
_purecall
_CxxThrowException
memmove
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
malloc
free
__C_specific_handler
memset
??0exception@@QEAA@AEBV0@@Z
memcpy

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-com-l1-1-1

CoInitializeEx
CoTaskMemAlloc
CoGetApartmentType
CoMarshalInterface
CoTaskMemFree
CoCopyProxy
CoUninitialize
CoWaitForMultipleHandles
CoGetCallContext
CoSetProxyBlanket
CoGetMalloc
CoCreateInstance
RoGetAgileReference
CreateStreamOnHGlobal
CoCreateFreeThreadedMarshaler
CoReleaseMarshalData

api-ms-win-core-winrt-string-l1-1-0

WindowsStringHasEmbeddedNull
HSTRING_UserSize
HSTRING_UserFree64
HSTRING_UserMarshal
HSTRING_UserUnmarshal
WindowsGetStringRawBuffer
WindowsIsStringEmpty
HSTRING_UserUnmarshal64
HSTRING_UserFree
HSTRING_UserSize64
HSTRING_UserMarshal64
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString
WindowsCreateString

api-ms-win-core-synch-l1-2-0

AcquireSRWLockShared
ReleaseSRWLockExclusive
InitializeCriticalSection
Sleep
ReleaseSRWLockShared
CreateMutexW
AcquireSRWLockExclusive
ReleaseMutex
DeleteCriticalSection

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
UnregisterTraceGuids
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
SetRestrictedErrorInfo
RoReportFailedDelegate
RoGetMatchingRestrictedErrorInfo
RoTransformError
RoOriginateErrorW
RoOriginateError
GetRestrictedErrorInfo

api-ms-win-core-errorhandling-l1-1-1

RaiseException
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcessId
TerminateProcess
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree

rpcrt4

UuidCreate
UuidFromStringW
CStdStubBuffer_AddRef
UuidToStringW
NdrOleFree
NdrStubForwardingFunction
NdrOleAllocate
CStdStubBuffer_CountRefs
IUnknown_Release_Proxy
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_QueryInterface
IUnknown_AddRef_Proxy
NdrStubCall3
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Invoke
CStdStubBuffer_Connect
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
NdrDllGetClassObject
IUnknown_QueryInterface_Proxy

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

oleaut32

SysFreeString

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-rtlsupport-l1-2-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

kernel32

GetPackageFamilyName
ClosePackageInfo
GetCurrentPackageInfo
GetSystemTime
SystemTimeToFileTime
OpenPackageInfoByFullName
GetPackageInfo
GetPackageFullName
PackageNameAndPublisherIdFromFamilyName
LocalFree
GetFileAttributesW
QueryFullProcessImageNameW
GetCurrentThread
HeapAlloc
CreateThread
TlsFree
CloseHandle
TrySubmitThreadpoolCallback
TlsAlloc
OpenSemaphoreW
CallbackMayRunLong
CreateThreadpoolTimer
CreateEventExW
FreeLibraryWhenCallbackReturns
CreateSemaphoreW
FreeLibraryAndExitThread
ReleaseSemaphore
InitOnceExecuteOnce
OpenProcess
TlsSetValue
SetEvent
WaitForSingleObject
GetModuleHandleExW
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
FreeLibrary
TlsGetValue
CloseThreadpoolTimer

normaliz

IdnToAscii

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-shcore-thread-l1-1-0

SHGetThreadRef
SHCreateThreadRef
SHSetThreadRef

combase

ord2
ord32
ord6
ord7
ord5
ord33
ord34
ord8

user32

DispatchMessageW
PostThreadMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjectsEx

feclient

EfsClientEncryptFileEx
EfsClientQueryProtectors
EfsClientFreeProtectorList

vaultcli

VaultAddItem
VaultCloseVault
VaultGetItem
VaultEnumerateItems
VaultOpenVault
VaultFree
VaultRemoveItem

crypt32

CryptBinaryToStringW

shell32

ord190
SHChangeNotifySuspendResume
ord924
ord155

shlwapi

PathIsDirectoryEmptyW

advapi32

RegQueryInfoKeyW
RegDeleteValueW
RegEnumKeyExW
RegGetValueW
RegSetValueExW
RegCreateKeyExW
RegEnumValueW
RegDeleteKeyExW
OpenProcessToken
GetTokenInformation
GetSidSubAuthority
OpenThreadToken
GetSidSubAuthorityCount
CopySid
EqualSid
RegQueryValueExW
RegOpenKeyExW
FileEncryptionStatusW
GetLengthSid
ConvertSidToStringSidW
RegCloseKey
EventRegister
EventUnregister
EventWrite

urlmon

CreateUri

bcrypt

BCryptOpenAlgorithmProvider
BCryptHashData
BCryptCreateHash
BCryptDestroyHash
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptGenRandom

api-ms-win-core-handle-l1-1-0

DuplicateHandle

ntdll

WinSqmAddToStreamEx
WinSqmIsOptedIn
RtlNtStatusToDosError
NtQueryInformationToken
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
RtlAllocateHeap
RtlInitUnicodeString
RtlFreeHeap

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
EnterpriseDataCopyProtection
EnterpriseDataGetStatus
EnterpriseDataProtect
EnterpriseDataRevoke

Sections

.text
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 199B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fb5555cf3e2f8a1b1a8458540d2c0c07

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-util-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-heap-l1-2-0

rpcrt4

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-string-l1-1-0

oleaut32

api-ms-win-core-profile-l1-1-0

api-ms-win-core-rtlsupport-l1-2-0

kernel32

normaliz

api-ms-win-core-winrt-l1-1-0

api-ms-win-shcore-thread-l1-1-0

combase

user32

feclient

vaultcli

crypt32

shell32

shlwapi

advapi32

urlmon

bcrypt

api-ms-win-core-handle-l1-1-0

ntdll

Exports

Exports

Sections

.text Size: 114KB - Virtual size: 113KB

.orpc Size: 512B - Virtual size: 199B

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 4KB

.idata Size: 10KB - Virtual size: 10KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 114KB - Virtual size: 113KB

.orpc
Size: 512B - Virtual size: 199B

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 4KB

.idata
Size: 10KB - Virtual size: 10KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 1KB - Virtual size: 1KB