DeviceEnroller[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

DeviceEnroller.exe
Size

508KB
MD5

fa89715da554c92677f3e0d484f96e2d
SHA1

a34a08a06f8ebee5adca8f614f543f153bb4da8d
SHA256

3982116ce725cc35f159a3a907cad4b34686b3ffed3f7ba6cf2fe39f2cb66cd5
SHA512

6c7ba6d93251d2c68672373867666a71909a273e3b14221a3637c4f9237e7da8cd360aa9d38b6db652536923ca7202016643862d0461a23555e5030cfa4993b8
SSDEEP

12288:b1I4R80IuzPgRkmNmpgPjs41TxCCzD/UnsdJkI02:b1I4R8RRkmNmpgPjs4BR/UnsdL

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DeviceEnroller.exe

Files

DeviceEnroller.exe
.exe windows:10 windows x64 arch:x64

8f663f6063278af99491b7b7ab582628

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp110_win

?_Xbad_alloc@std@@YAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
?_BADOFF@std@@3_JB
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@J@Z
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?endl@std@@YAAEAV?$basic_ostream@GU?$char_traits@G@std@@@1@AEAV21@@Z

msvcrt

memmove
memcpy
?terminate@@YAXXZ
__CxxFrameHandler3
srand
rand
_vsnwprintf_s
wcstod
sprintf_s
_wtoi
swprintf_s
_wcsnicmp
wcsncmp
_commode
_fmode
_acmdln
_initterm
__setusermatherr
memcmp
_CxxThrowException
memset
??3@YAXPEAX@Z
__CxxFrameHandler4
??_V@YAXPEAX@Z
_vsnwprintf
memcpy_s
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
__C_specific_handler
_wcsicmp
wcsstr
free
memmove_s
malloc
wcsncpy_s
_callnewh
_XcptFilter
_ismbblead
_amsg_exit
__getmainargs
__set_app_type
exit
_cexit
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_exit
_lock

dmenrollengine

GetEnrollmentAuthPolicy
GetEnrollmentCertStore
GetEnrollmentSID
GetEnrollmentPartnerOpaqueID
GetEnrollmentState
GetEnrollmentEntDmId
GetEnrollmentAadResourceUrl
GetEnrollmentClientCertThumbprint
ord7
MmpcDiscoverEndpoint
ord3
ord1
GetEnrollmentType
SetEnrollState
EnrollEngineInitialize
GetIsRecoveryAllowed
ord10
SetMmpcEnrollmentFlag

dmcmnutils

OmaDmRegistryGetDWORD
OmaDmRegistryDeleteValue
DmImpersonate
DmRevertToSelf
MBToUnicode
UnicodeToMB
DmRemoveToastNotification
SafeWideCharToMultiByte
OmaDmRegistryGetAllSubKeys
OmaDmRegistrySetDWORD
OmDmRegistryAllocAndGetString
OmaDmRegistrySetString
OmaDmRegistrySetBinary
BigStrcat
DmRaiseToastNotificationAndWait
DmDisableTask
DmRaiseToastNotification
CopyString
HexStringToBinary
DmGetAadUserToken
OmaDmRegistryGetString
DmGetAadDeviceToken
InvStrCmpIW
DmGetActiveUserSid
DmDeleteTask
DmGetCurrentUserSid
DmRemoveToastNotificationByExecutablePath

omadmapi

ord64
ord105
ord22
ord103
ord102
ord114
ord104
ord119
ord54
ord117
ord23
ord118
ord52
ord34
ord101
ord18
ord37
ord56
ord47

ntdll

NtCreateWnfStateName
NtDeleteWnfStateName
RtlNtStatusToDosErrorNoTeb
RtlGetDeviceFamilyInfoEnum
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlNtStatusToDosError
RtlIsStateSeparationEnabled
RtlIsMultiUsersInSessionSku

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

combase

ord154
ord69

umpdc

PdcActivationClientRegister
PdcActivationClientActivityRequest
PdcActivationClientUnregister

xmllite

CreateXmlReader
CreateXmlReaderInputWithEncodingName

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

dmenterprisediagnostics

RecordDiagnosticsError

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
GetModuleHandleW
FindResourceExW
FreeLibrary
SizeofResource
GetModuleFileNameA
GetModuleHandleExW
LockResource
LoadResource
LoadStringW
LoadLibraryExW
GetProcAddress

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionEx
ResetEvent
CreateEventW
WaitForMultipleObjectsEx
CreateSemaphoreExW
CreateEventExW
ReleaseSemaphore
DeleteCriticalSection
WaitForSingleObject
AcquireSRWLockShared
ReleaseMutex
SetEvent
WaitForSingleObjectEx
OpenSemaphoreW
OpenEventW
CreateMutexExW
ReleaseSRWLockShared
ReleaseSRWLockExclusive
EnterCriticalSection
AcquireSRWLockExclusive
InitializeCriticalSection
LeaveCriticalSection

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
RaiseException
GetLastError
UnhandledExceptionFilter
SetLastError

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsCreateString
WindowsDeleteString
WindowsGetStringRawBuffer

api-ms-win-core-processthreads-l1-1-0

SetThreadPriority
GetCurrentThreadId
OpenThreadToken
GetCurrentProcessId
TerminateProcess
GetStartupInfoW
GetCurrentProcess
OpenProcessToken
GetCurrentThread

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoInitialize
RoActivateInstance
RoUninitialize

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent
OutputDebugStringA

api-ms-win-core-handle-l1-1-0

CloseHandle

oleaut32

VariantClear
SafeArrayCreate
VariantTimeToSystemTime
VariantInit
SafeArrayDestroy
SafeArrayGetUBound
SafeArrayUnlock
SafeArrayGetLBound
SysAllocStringLen
VariantChangeTypeEx
SysStringByteLen
SysAllocStringByteLen
SafeArrayLock
VarUI4FromStr
SysFreeString
SysAllocString

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventSetInformation
EventWriteTransfer
EventActivityIdControl

api-ms-win-core-synch-l1-2-0

Sleep
WakeAllConditionVariable
SleepConditionVariableSRW
InitOnceBeginInitialize
InitOnceComplete

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountNameW
LookupAccountSidW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegGetValueW
RegDeleteTreeW
RegCreateKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegDeleteValueW
RegOpenCurrentUser
RegCloseKey
RegQueryInfoKeyW

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

samcli

NetUserGetInfo
NetLocalGroupGetMembers
NetLocalGroupAddMembers

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-url-l1-1-0

UrlUnescapeW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
ConvertSidToStringSidW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW

api-ms-win-core-string-obsolete-l1-1-0

lstrlenA
lstrcmpiW

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
RevertToSelf
ImpersonateLoggedOnUser
GetLengthSid
GetTokenInformation
CopySid

netutils

NetApiBufferFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetTickCount64
GetSystemTime

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-file-l1-1-0

CompareFileTime
FileTimeToLocalFileTime

sspicli

GetUserNameExW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

crypt32

CertOpenStore
CertFindCertificateInStore
CertCloseStore
CertFreeCertificateContext

declaredconfiguration

DMOrchestratorRefresh
DMOrchestratorRefreshPerEnrollment

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 340KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8f663f6063278af99491b7b7ab582628

Headers

DLL Characteristics

File Characteristics

Imports

msvcp110_win

msvcrt

dmenrollengine

dmcmnutils

omadmapi

ntdll

api-ms-win-core-apiquery-l1-1-0

combase

umpdc

xmllite

api-ms-win-shcore-stream-l1-1-0

dmenterprisediagnostics

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

samcli

api-ms-win-core-string-l2-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

netutils

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-file-l1-1-0

sspicli

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-registry-l2-1-0

crypt32

declaredconfiguration

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 340KB - Virtual size: 338KB

.rdata Size: 112KB - Virtual size: 111KB

.data Size: 8KB - Virtual size: 7KB

.pdata Size: 16KB - Virtual size: 12KB

.didat Size: 4KB - Virtual size: 464B

.rsrc Size: 20KB - Virtual size: 19KB

.reloc Size: 4KB - Virtual size: 1KB

.text
Size: 340KB - Virtual size: 338KB

.rdata
Size: 112KB - Virtual size: 111KB

.data
Size: 8KB - Virtual size: 7KB

.pdata
Size: 16KB - Virtual size: 12KB

.didat
Size: 4KB - Virtual size: 464B

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 4KB - Virtual size: 1KB