DeviceEnroller[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

DeviceEnroller.exe
Size

462KB
MD5

2b73722fc00dd4221b9741785134c202
SHA1

3205b10e6c48362fa2726ae2dc14df455149b90e
SHA256

c3aa4421e4dbc014b6dee3e38c4e3e48fb777a315f584cbcdf1f9a294f929c2e
SHA512

70df0fe0bc2deeb889ec37b11289330e3e644b7b4c1174181e8749db0a6c07ac426486f13647cc5a9702480bead070801215ae5054c46396f678f3d2319168f5
SSDEEP

6144:b/cCWkQ5iN8T6QAgzno1YRPG4I2rOn6WOcIqdnnsyGOTx/T5aMJi:oCmiNkPztPGA26WFXGWx/TtJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DeviceEnroller.exe

Files

DeviceEnroller.exe
.exe windows x64

775f0ccc04771bbd307d486033ff3a3b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp110_win

?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
?_BADOFF@std@@3_JB
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@J@Z
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?endl@std@@YAAEAV?$basic_ostream@GU?$char_traits@G@std@@@1@AEAV21@@Z
?_Xbad_alloc@std@@YAXXZ

msvcrt

__CxxFrameHandler3
??_V@YAXPEAX@Z
_vsnwprintf
memcpy_s
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
__C_specific_handler
_wcsicmp
wcsstr
free
memmove_s
malloc
wcsncpy_s
_callnewh
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
exit
_exit
_cexit
_ismbblead
__setusermatherr
_initterm
_acmdln
_fmode
_commode
?terminate@@YAXXZ
_lock
_unlock
memset
srand
rand
??3@YAXPEAX@Z
wcstod
strncpy_s
_set_errno
strtol
strchr
strrchr
sprintf_s
_wtoi
swprintf_s
_wcsnicmp
wcsncmp
__dllonexit
_onexit
??1type_info@@UEAA@XZ
_errno
realloc
memmove
memcpy
memcmp
_CxxThrowException
_vsnwprintf_s

dmenrollengine

GetEnrollmentAuthPolicy
GetEnrollmentAadResourceUrl
GetEnrollmentEntDmId
SetMmpcEnrollmentFlag
GetEnrollmentPartnerOpaqueID
ord10
GetEnrollmentSID
GetEnrollmentState
ord3
GetEnrollmentClientCertThumbprint
ord1
ord7
SetEnrollState
EnrollEngineInitialize
GetIsRecoveryAllowed
GetEnrollmentType

dmcmnutils

DmRemoveToastNotificationByExecutablePath
DmRaiseToastNotification
DmDisableTask
DmGetActiveUserSid
IsPhoneOS
DmGetCurrentUserSid
DmDeleteTask
DmRevertToSelf
MBToUnicode
UnicodeToMB
DmRemoveToastNotification
DmRaiseToastNotificationAndWait
DmImpersonate
DmGetAadUserToken
HexStringToBinary
BigStrcat
CopyString
SafeWideCharToMultiByte
OmaDmRegistryGetAllSubKeys
OmaDmRegistryGetDWORD
OmaDmRegistrySetDWORD
OmDmRegistryAllocAndGetString
OmaDmRegistrySetString
DmGetUserPermission
OmaDmRegistrySetBinary

omadmapi

ord18
ord34
ord101
ord22
ord23
ord54
ord104
ord114
ord102
ord103
ord56
ord105
ord64
ord47
ord52

ntdll

NtDeleteWnfStateName
RtlIsStateSeparationEnabled
RtlNtStatusToDosError
RtlIsMultiUsersInSessionSku
RtlGetDeviceFamilyInfoEnum
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtCreateWnfStateName
RtlNtStatusToDosErrorNoTeb

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

combase

ord69
ord154

umpdc

PdcActivationClientRegister
PdcActivationClientActivityRequest
PdcActivationClientUnregister

xmllite

CreateXmlReaderInputWithEncodingName
CreateXmlReader

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

dmenterprisediagnostics

RecordDiagnosticsError

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetModuleHandleExW
LoadResource
FreeLibrary
GetModuleHandleW
GetProcAddress
GetModuleFileNameW
LockResource
SizeofResource
LoadStringW
FindResourceExW
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
DeleteCriticalSection
ReleaseSRWLockShared
AcquireSRWLockExclusive
EnterCriticalSection
SetEvent
InitializeCriticalSection
OpenEventW
WaitForSingleObjectEx
WaitForMultipleObjectsEx
InitializeCriticalSectionEx
CreateEventExW
ReleaseSemaphore
CreateMutexExW
ReleaseSRWLockExclusive
WaitForSingleObject
OpenSemaphoreW
ResetEvent
CreateEventW
CreateSemaphoreExW
LeaveCriticalSection
ReleaseMutex

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

RaiseException
UnhandledExceptionFilter
SetLastError
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsCreateString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
OpenProcessToken
TerminateProcess
OpenThreadToken
GetCurrentThread

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoGetActivationFactory
RoActivateInstance

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

oleaut32

SysAllocStringByteLen
VariantClear
VarUI4FromStr
SysAllocStringLen
VariantInit
VariantChangeTypeEx
SysFreeString
SafeArrayCreate
SafeArrayLock
SysAllocString
SysStringByteLen
SafeArrayGetLBound
SafeArrayUnlock
SafeArrayGetUBound
SafeArrayDestroy

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventSetInformation
EventActivityIdControl
EventUnregister

api-ms-win-core-synch-l1-2-0

InitOnceComplete
SleepConditionVariableSRW
Sleep
InitOnceBeginInitialize
WakeAllConditionVariable

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW
LookupAccountNameW
LookupPrivilegeValueW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-registry-l1-1-0

RegOpenCurrentUser
RegDeleteTreeW
RegQueryInfoKeyW
RegCloseKey
RegGetValueW
RegDeleteValueW
RegOpenKeyExW
RegCreateKeyExW
RegQueryValueExW
RegEnumKeyExW
RegSetValueExW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

samcli

NetLocalGroupAddMembers
NetLocalGroupGetMembers
NetUserGetInfo

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-url-l1-1-0

UrlUnescapeW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenA

api-ms-win-security-base-l1-1-0

CopySid
AdjustTokenPrivileges
ImpersonateLoggedOnUser
GetTokenInformation
GetLengthSid
RevertToSelf

netutils

NetApiBufferFree

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemTimeAsFileTime
GetSystemTime
GetTickCount

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime

sspicli

GetUserNameExW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

crypt32

CertFreeCertificateContext
CertCloseStore

declaredconfiguration

DMOrchestratorRefresh

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 302KB - Virtual size: 301KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

775f0ccc04771bbd307d486033ff3a3b

Headers

DLL Characteristics

File Characteristics

Imports

msvcp110_win

msvcrt

dmenrollengine

dmcmnutils

omadmapi

ntdll

api-ms-win-core-apiquery-l1-1-0

combase

umpdc

xmllite

api-ms-win-shcore-stream-l1-1-0

dmenterprisediagnostics

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

samcli

api-ms-win-core-string-l2-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

netutils

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-file-l1-1-0

sspicli

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-registry-l2-1-0

crypt32

declaredconfiguration

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 302KB - Virtual size: 301KB

.rdata Size: 120KB - Virtual size: 120KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 12KB - Virtual size: 12KB

.didat Size: 512B - Virtual size: 456B

.rsrc Size: 20KB - Virtual size: 19KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 302KB - Virtual size: 301KB

.rdata
Size: 120KB - Virtual size: 120KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 12KB - Virtual size: 12KB

.didat
Size: 512B - Virtual size: 456B

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 1KB - Virtual size: 1KB