certmgr[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

certmgr.dll
Size

1.9MB
MD5

c57abbb736050e8efc24f9a4829cecdf
SHA1

8d1bff10b4d5c35024ac0022ee819aa0b1d0f92d
SHA256

859519d057e0720ec3b9a743f8869c6354d3d67a2154bba6d6db2b4b9fd5aa18
SHA512

ecdcd427351d60923f27e3e1d05442ab0f5648340bdb0686f8256596186c418652eb277b332b9eb2ebeb82c753bd8e551004dfab7ae332a7e4033733bea679af
SSDEEP

49152:P1fjXbKWda6SyMMMMMMeMMMMMM53uXxU:PdMMMMMMeMMMMMMhuXx

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certmgr.dll

Files

certmgr.dll
.dll regsvr32 windows:10 windows x86 arch:x86

ca188497e79abc1def20615c73631f36

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

certmgr.pdb

Imports

mfc42u

ord3718
ord797
ord2362
ord2291
ord2371
ord3133
ord4294
ord4162
ord6193
ord6375
ord2110
ord3871
ord1197
ord3867
ord2857
ord4215
ord2576
ord3649
ord2430
ord1143
ord1637
ord2858
ord6266
ord3905
ord3288
ord4238
ord2293
ord6211
ord3296
ord1635
ord3084
ord2776
ord941
ord4118
ord5949
ord5852
ord496
ord4616
ord4254
ord4709
ord3695
ord4425
ord2046
ord4433
ord5284
ord1683
ord3870
ord3798
ord4253
ord489
ord768
ord2281
ord2729
ord1258
ord1899
ord491
ord3614
ord2406
ord3621
ord2854
ord1634
ord826
ord269
ord600
ord1240
ord1571
ord1250
ord1568
ord1570
ord342
ord1179
ord1248
ord1115
ord1194
ord1563
ord3733
ord1083
ord5617
ord4399
ord6640
ord2820
ord6279
ord6278
ord925
ord922
ord5568
ord2914
ord1128
ord2717
ord3948
ord561
ord815
ord2821
ord2810
ord538
ord2578
ord6303
ord521
ord602
ord3562
ord3569
ord4390
ord2567
ord616
ord535
ord1001
ord3577
ord4392
ord802
ord542
ord3087
ord6330
ord940
ord825
ord942
ord3281
ord6451
ord6896
ord4219
ord268
ord1560
ord2644
ord2385
ord1662
ord6898
ord2859
ord4970
ord3991
ord795
ord3716
ord693
ord3635
ord3365
ord4396
ord2574
ord823
ord5155
ord5156
ord5154
ord4899
ord4736
ord4942
ord4352
ord5261
ord4371
ord4848
ord4992
ord2506
ord6048
ord1767
ord5283
ord4829
ord4419
ord3694
ord1184
ord6928
ord858
ord6195
ord4155
ord4704
ord2294
ord692
ord3634
ord4395
ord2573
ord4214
ord2016
ord2405
ord6362
ord2570
ord4213
ord2015
ord2403
ord4847
ord1594
ord4272
ord4370
ord5276
ord3592
ord810
ord3728
ord3393
ord686
ord384
ord5947
ord2637
ord3092
ord4229
ord641
ord324
ord6024
ord5798
ord2809
ord3090
ord2634
ord4198
ord927
ord2520
ord1008
ord5855
ord3979
ord1565
ord6868
ord4124
ord2755
ord5706
ord2910
ord5817
ord3657
ord998
ord5977
ord609
ord4199
ord2455
ord1644
ord2756
ord6137
ord543
ord803
ord3579
ord713
ord414
ord3697
ord5436
ord6379
ord5446
ord6390
ord3658
ord501
ord1145
ord5603
ord773
ord5293
ord6371
ord4480
ord2546
ord2504
ord5727
ord3917
ord1089
ord5193
ord2388
ord3341
ord5296
ord5298
ord4074
ord4692
ord5303
ord5285
ord5710
ord2606
ord3396
ord1764
ord656
ord567
ord818
ord3605
ord4418
ord4621
ord4075
ord3074
ord3820
ord3826
ord3825
ord3397
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord5273
ord2116
ord2438
ord5257
ord1720
ord5059
ord3744
ord6372
ord2047
ord2640
ord4435
ord4831
ord3793
ord5286
ord4347
ord6370
ord5157
ord2377
ord5237
ord4401
ord1768
ord4073
ord6051
ord861
ord1165
ord6466
ord800
ord540
ord771

msvcrt

memset
_purecall
wcslen
wcscmp
_stricmp
memcmp
_wcsicmp
free
wcstok_s
realloc
strlen
mbstowcs
strcmp
??_V@YAXPAX@Z
memcpy
_wcsupr
wcsstr
wcscspn
_vsnwprintf
__CxxFrameHandler3
wcschr
wcscoll
malloc
_wcsnicmp
wcstol
wcsncmp
iswdigit
swprintf_s
_wtol
wcscat_s
wcscpy_s
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
__RTDynamicCast
_itow
wcstoul
wcsrchr
iswspace
_beginthreadex
_endthreadex
memmove
qsort
_wtoi

atl

ord44
ord32
ord16
ord21
ord15
ord30
ord43

ntdll

RtlInitUnicodeString
RtlCompareUnicodeString
RtlNtStatusToDosError

certca

ord416
ord411
ord413
ord414
ord445
ord450
ord451
ord433
ord459
ord405
ord442
ord444
ord446
ord412
ord424
ord455
ord452
ord453
ord460
ord435
ord404

certenroll

ord29
ord16
ord19
ord15
ord18
ord31
ord21
ord23
ord22
ord40
ord33

kernel32

GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
IsProcessorFeaturePresent
DecodePointer
EncodePointer
LoadLibraryExA
VirtualAlloc
VirtualFree
FreeLibrary
HeapFree
UnmapViewOfFile
MapViewOfFile
GetProcessHeap
HeapAlloc
CreateFileMappingW
GetUserDefaultLangID
GetFileTime
GetFileSizeEx
ResetEvent
SetEvent
WaitForSingleObject
CreateEventW
GlobalUnlock
GlobalLock
WideCharToMultiByte
ReadFile
GetFileSize
CreateFileW
GetCurrentThreadId
CloseHandle
GetCurrentProcess
GetComputerNameW
GlobalFree
GlobalAlloc
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
DeleteCriticalSection
LoadLibraryA
CompareStringW
GetSystemWindowsDirectoryW
GetVersionExW
FormatMessageW
GetTimeFormatW
GetDateFormatW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCommandLineW
OutputDebugStringA
GetModuleFileNameW
LoadLibraryW
LoadLibraryExW
GetModuleHandleW
GetModuleHandleA
GetProcAddress
SetLastError
MultiByteToWideChar
GetACP
SystemTimeToFileTime
GetSystemTime
CompareFileTime
RaiseException
lstrcmpiW
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetLastError
GetTickCount
CreateActCtxW
ReleaseActCtx
ActivateActCtx
DeactivateActCtx
GetComputerNameExW
ExpandEnvironmentStringsA
InitOnceExecuteOnce

user32

ScreenToClient
GetWindowRect
GetMenu
EnableMenuItem
SetMenu
LoadMenuW
DestroyWindow
CallWindowProcW
DefWindowProcW
SetFocus
GetKeyState
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
IsDlgButtonChecked
CheckDlgButton
GetSysColor
GetClientRect
MessageBoxW
SetWindowLongW
GetWindowTextW
ShowWindow
SetWindowTextW
SendDlgItemMessageW
GetWindow
GetDlgItem
GetSystemMetrics
RegisterClipboardFormatW
GetParent
PostMessageW
WinHelpW
GetDlgCtrlID
SendMessageW
EnableWindow
LoadBitmapW
LoadImageW
LoadIconW
DestroyIcon
IsWindowVisible
UpdateWindow
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
GetWindowThreadProcessId
FindWindowExW
ChildWindowFromPointEx
GetSubMenu
InvalidateRect
LoadStringW
GetFocus
ReleaseDC
GetDC
GetWindowLongW
SystemParametersInfoW

oleaut32

SafeArrayGetUBound
SafeArrayGetLBound
SysFreeString
SysAllocString
SysStringLen
VariantClear
SysAllocStringLen
SysStringByteLen
SafeArrayUnaccessData
BstrFromVector
SafeArrayAccessData
VariantInit

ole32

CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
ReleaseStgMedium
CoCreateGuid
CLSIDFromString
CoInitialize
StringFromCLSID
CoTaskMemAlloc
GetHGlobalFromStream
CoTaskMemFree

advapi32

RegOpenKeyExA
GetSecurityDescriptorLength
CopySid
GetLengthSid
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExW
RegDeleteKeyW
GetUserNameW
SaferCreateLevel
SaferCloseLevel
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
OpenProcessToken
GetTokenInformation
SaferGetLevelInformation
SaferiPopulateDefaultsInRegistry
SaferGetPolicyInformation
RegQueryValueExA
RegSetValueExA
RegDeleteTreeW
CryptGetProvParam
LookupAccountNameW
OpenSCManagerW
GetServiceDisplayNameW
CloseServiceHandle
SaferSetPolicyInformation
SaferSetLevelInformation
SaferiChangeRegistryScope
CryptSetProvParam
EnumServicesStatusW

netutils

NetpwNameValidate
NetApiBufferFree
NetpwNameCanonicalize

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

srvcli

NetServerGetInfo

shell32

SHGetPathFromIDListW
SHGetMalloc
SHBindToParent
SHBrowseForFolderW
SHGetFileInfoW

cryptui

CryptUIDlgSelectCertificateW
CryptUIDlgViewCertificatePropertiesW
CryptUIDlgAddPolicyServerWithPriority
CryptUIWizBuildCTL
CryptUIWizExport
CryptUIWizImport
CryptUIGetCertificatePropertiesPagesW
CryptUIDlgViewCRLW
CryptUIDlgPropertyPolicy
CryptUIDlgViewCertificateW
CryptUIDlgViewCTLW

crypt32

CryptBinaryToStringW
CryptEncodeObject
CryptMsgGetParam
CryptMsgUpdate
CertAddEncodedCTLToStore
CertAddStoreToCollection
CertGetCRLFromStore
CertAddCRLContextToStore
CertEnumCRLsInStore
CertEnumCTLsInStore
CertGetSubjectCertificateFromStore
CertDeleteCRLFromStore
CertGetStoreProperty
CryptFindLocalizedName
CertFreeCRLContext
CertControlStore
CryptMsgClose
CryptDecodeObject
CertFindExtension
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertGetEnhancedKeyUsage
CertDeleteCertificateFromStore
CertFindCertificateInStore
CertSetCertificateContextProperty
CryptDecodeObjectEx
CertNameToStrW
CryptFindOIDInfo
CertGetNameStringW
CryptImportPublicKeyInfoEx2
CertGetCertificateChain
CertFreeCertificateChain
CertCompareCertificate
CryptAcquireCertificatePrivateKey
CertGetCTLContextProperty
CertDeleteCTLFromStore
CertFindCTLInStore
CertVerifyRevocation
CertVerifyTimeValidity
CryptMsgEncodeAndSignCTL
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore
CertEnumSystemStore
CryptFindCertificateKeyProvInfo
CertEnumPhysicalStore
CryptEnumOIDInfo
CertAddCertificateContextToStore
CertAddCTLContextToStore
CertDuplicateCTLContext
CertFreeCTLContext
CertGetIntendedKeyUsage
CertDuplicateCRLContext
CryptMsgOpenToDecode
CertGetPublicKeyLength
CertAddSerializedElementToStore
CryptQueryObject

gdi32

CreateFontIndirectW
GetDeviceCaps
DeleteObject

ntdsapi

DsCrackNamesW
DsFreeNameResultW
DsBindW
DsUnBindW

ncrypt

BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptHashData
NCryptSetProperty
NCryptGetProperty
NCryptIsKeyHandle
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptFinishHash
BCryptGetProperty

shlwapi

SHDeleteKeyW
PathFindExtensionW
StrTrimW

wintrust

WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetFileHash

version

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

imagehlp

ImageLoad
ImageUnload

secur32

GetUserNameExW

aclui

ord2

iphlpapi

ParseNetworkString

slc

SLGetWindowsInformationDWORD

logoncli

DsGetDcNameW

activeds

ord9

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 648KB - Virtual size: 647KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ca188497e79abc1def20615c73631f36

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mfc42u

msvcrt

atl

ntdll

certca

certenroll

kernel32

user32

oleaut32

ole32

advapi32

netutils

dsrole

srvcli

shell32

cryptui

crypt32

gdi32

ntdsapi

ncrypt

shlwapi

wintrust

version

imagehlp

secur32

aclui

iphlpapi

slc

logoncli

activeds

Exports

Exports

Sections

.text Size: 648KB - Virtual size: 647KB

.data Size: 10KB - Virtual size: 20KB

.idata Size: 14KB - Virtual size: 13KB

.rsrc Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 48KB - Virtual size: 47KB

.text
Size: 648KB - Virtual size: 647KB

.data
Size: 10KB - Virtual size: 20KB

.idata
Size: 14KB - Virtual size: 13KB

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 48KB - Virtual size: 47KB