efssvc[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

efssvc.dll
Size

41KB
MD5

84ac8148ec31e6e035c3c88b0021e3b0
SHA1

4a9e3f4d0db9e7f20dd79640ff26ec0f8ca6ee67
SHA256

44f1a6fd2b09b60c03f7470e5b9d80c835616700e679654997e757eb9fe77ccf
SHA512

7e84581d35ede9ca779ac2d390584234dbfd23607da2968ab7d9c2043b2f580e13562fe649daa474f4bbc48a7110c1b26406377b04c867b0096f0315a794af87
SSDEEP

768:hUTIFj6sM2kmh67A2lVAsIGog7WaV+rmnCoUNZw5b91fcC5KUl:9Ksh/O++UNZwGC5F

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
efssvc.dll

Files

efssvc.dll
.dll windows:6 windows x64 arch:x64

3ba8d07c3a6f52dc6c7474083fd4f709

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

efssvc.pdb

Imports

msvcrt

memcpy
memset
_wcsicmp
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
??3@YAXPEAX@Z
??2@YAPEAX_K@Z

ntdll

NtQueryVolumeInformationFile
EtwEventWrite
EtwEventEnabled
EtwEventUnregister
EtwEventRegister
NtQueryInformationToken
RtlAllocateHeap
RtlValidRelativeSecurityDescriptor
NtOpenThreadToken
RtlFreeHeap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtSetEvent
NtOpenEvent
NtCreateEvent
RtlInitUnicodeString
RtlNtStatusToDosError
NtClearEvent
NtClose
RtlValidSid

rpcrt4

RpcBindingToStringBindingW
RpcImpersonateClient
RpcStringBindingParseW
RpcStringFreeW
NdrServerCallAll
I_RpcBindingIsClientLocal
RpcRaiseException
NdrServerCall2
RpcBindingInqAuthClientW
RpcServerUnregisterIfEx
RpcServerRegisterIfEx
RpcServerRegisterIf3
RpcServerRegisterAuthInfoW
RpcServerUseProtseqEpW
RpcServerInqCallAttributesW
RpcRevertToSelf

api-ms-win-service-core-l1-1-1

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW

efscore

EfsDllRemoveUsersFromFileSrv
EfsDllEncryptFileSrv
EfsDllIsNonEfsSKU
EfsDllFreeUserInfo
EfsDllDecryptFileSrv
EfsDllGetLogFile
EfsDllQueryRecoveryAgentsSrv
EfsDllGetVolumeRoot
EfsDllReadFileRaw
EfsDllMarkFileForDelete
EfsDllDuplicateEncryptionInfoFileSrv
EfsDllAddUsersToFileSrv
EfsDllGetLocalFileName
EfsDllDisabled
EfsDllErrorToNtStatus
EfsDllDecryptFek
EfsDllConstructEFS
EfsDllValidateEfsStream
EfsDllLoadUserProfile
EfsUnInitialize
EfsInitialize
EfsDllShareDecline
EfsDllSsoFlushUserCache
EfsDllFileKeyInfoSrv
EfsDllGetUserInfo
EfsDllSetFileEncryptionKeySrv
EfsDllOpenFileRaw
EfsDllQueryProtectorsSrv
EfsDllUnloadUserProfile
EfsDllFreeHeap
EfsDllCloseFileRaw
EfsDllWriteFileRaw
EfsDllQueryUsersOnFileSrv
EfsDllUsePinForEncryptedFilesSrv
EfsDllOnSessionChange

kernel32

ResolveDelayLoadedAPI
DelayLoadFailureHook
GetLastError
CreateEventW
SetEvent
CloseHandle
LocalFree
HeapAlloc
GetProcessHeap
HeapFree
Sleep
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetFileAttributesW
CreateFileW

api-ms-win-security-base-l1-2-0

IsWellKnownSid

Exports

Exports

EfsServiceMain

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3ba8d07c3a6f52dc6c7474083fd4f709

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

rpcrt4

api-ms-win-service-core-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

efscore

kernel32

api-ms-win-security-base-l1-2-0

Exports

Exports

Sections

.text Size: 30KB - Virtual size: 29KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 792B

.idata Size: 5KB - Virtual size: 4KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 1024B - Virtual size: 768B

.text
Size: 30KB - Virtual size: 29KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 792B

.idata
Size: 5KB - Virtual size: 4KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1024B - Virtual size: 768B