certcli[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

certcli.dll
Size

347KB
MD5

78c6905ea558b77bf6039a61c10a0461
SHA1

808964c6826bb4898fca3dc1570480e8613fb35f
SHA256

c5eaa87f6a0b19232bb547c2ce4597859610648d272033d1c580c4638f22d235
SHA512

d21761508e681a4a312ef61d21a7f5dc6a6e790ecd3fd0c8b818b621897dab7ad1b4e992de4d6ed4093a64f9f62f1d8f3db717dc2670a0eb9961e3f4f847b48b
SSDEEP

6144:dNnl/ElQGjhX/z3ftv5TEeyLJukUYjgoMXh5KXpf75k:Le2GZ/z3Vv5weyvjgoq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certcli.dll

Files

certcli.dll
.dll regsvr32 windows:10 windows x86 arch:x86

4581fa4551d38b1424dcd44d70665734

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

certcli.pdb

Imports

msvcrt

_purecall
free
wcsncpy_s
malloc
isxdigit
swscanf
iswalpha
memcpy_s
__CxxFrameHandler3
wcschr
_vsnwprintf
??1exception@@UAE@XZ
_vsnprintf
_strnicmp
_CxxThrowException
iswspace
isdigit
??_V@YAXPAX@Z
strchr
memcpy
atoi
_wcsicmp
memmove
_XcptFilter
_amsg_exit
??3@YAXPAX@Z
_initterm
?what@exception@@UBEPBDXZ
wcsstr
?terminate@@YAXXZ
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_lock
_unlock
__dllonexit
_onexit
_wcsnicmp
_except_handler4_common
iswdigit
??1type_info@@UAE@XZ
_errno
realloc
memcmp
wcsrchr
_callnewh
towlower
iswupper
iswlower
towupper
wcsncmp
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
iswxdigit
wcscspn
__isascii
_wtoi
bsearch
memset

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
DeleteCriticalSection
EnterCriticalSection
SetEvent
WaitForSingleObjectEx
CreateEventW
InitializeCriticalSection

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
LoadResource
GetProcAddress
LoadLibraryExW
GetModuleHandleW
FindResourceExW
DisableThreadLibraryCalls
GetModuleFileNameW
FreeLibrary
LoadStringW

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegGetValueW
RegCloseKey
RegQueryInfoKeyW
RegDeleteValueW

api-ms-win-core-string-l2-1-0

CharLowerW
CharNextW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
WideCharToMultiByte
FoldStringW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc
GlobalFree

crypt32

CryptImportPublicKeyInfoEx2
CryptImportPublicKeyInfo
CryptMsgClose
CryptMsgGetParam
CryptMsgUpdate
CryptMsgOpenToDecode
CertNameToStrW
CryptExportPublicKeyInfoEx
CryptEncodeObjectEx
CryptStringToBinaryW
CryptDecodeObjectEx
CryptDecodeObject
CryptSignMessage
CertComparePublicKeyInfo
CertGetNameStringW
CertAddCertificateLinkToStore
CertEnumCertificatesInStore
CertGetIntendedKeyUsage
CertGetEnhancedKeyUsage
CryptHashPublicKeyInfo
CryptHashCertificate
CertFindExtension
CertGetCertificateContextProperty
CryptFindOIDInfo
CryptAcquireCertificatePrivateKey
CertSetStoreProperty
CertFindCertificateInStore
CertCreateCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertCloseStore
CertFreeCertificateContext
CertDuplicateCertificateContext
CertOpenStore
CertStrToNameW

api-ms-win-core-file-l1-1-0

CompareFileTime
LocalFileTimeToFileTime
WriteFile
ReadFile
GetFileSize
CreateFileW
SetEndOfFile
FileTimeToLocalFileTime
SetFilePointer

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-localization-l1-2-0

GetACP
GetLocaleInfoW
FormatMessageW
IdnToUnicode

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

rpcrt4

RpcEpResolveBinding
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcNetworkIsProtseqValidW
NdrDllGetClassObject
RpcStringFreeW
RpcCancelThreadEx
CStdStubBuffer_DebugServerQueryInterface
RpcBindingSetAuthInfoW
RpcMgmtInqServerPrincNameW
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_CountRefs
CStdStubBuffer_QueryInterface
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
NdrCStdStubBuffer_Release
RpcBindingFree
RpcBindingSetAuthInfoExW
RpcExceptionFilter
CStdStubBuffer_Connect
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
NdrClientCall4
NdrDllCanUnloadNow
CStdStubBuffer_Invoke
IUnknown_AddRef_Proxy

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime
GetTickCount
GetLocalTime
GetSystemDirectoryW
GetComputerNameExW

api-ms-win-security-base-l1-1-0

CreateWellKnownSid
EqualSid
GetTokenInformation
RevertToSelf
FreeSid
AllocateAndInitializeSid
ImpersonateLoggedOnUser

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
GetCurrentProcess
TerminateProcess
OpenProcessToken
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW
SearchPathW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
GetComputerNameW
UnregisterWait

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage
GetSystemDefaultUILanguage

certca

ord823
ord819
ord450
ord445
ord602
ord435
ord813
ord705
ord818
ord817
ord707
ord601
ord838
ord444
ord840
ord412
ord405
ord841
ord411
ord842
ord404
ord414
ord413
ord839
ord824

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-psapi-l1-1-0

K32GetProcessImageFileNameW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-core-datetime-l1-1-0

GetDateFormatA
GetTimeFormatW
GetDateFormatW
GetTimeFormatA

wldap32

ord147
ord167
ord210
ord12
ord13
ord18
ord16
ord26
ord41
ord127
ord140
ord224

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW
StartServiceW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
ChangeServiceConfigW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-security-logon-l1-1-0

LogonUserExW

api-ms-win-core-registry-l2-1-0

RegConnectRegistryW

api-ms-win-eventlog-legacy-l1-1-0

DeregisterEventSource
ReportEventW
RegisterEventSourceW

cryptsp

CryptReleaseContext
CryptDestroyHash
CryptGetProvParam
CryptExportKey
CryptEncrypt
CryptDecrypt
CryptAcquireContextW
CryptCreateHash
CryptSetKeyParam
CryptHashData
CryptSetHashParam
CryptGetHashParam
CryptSetProvParam
CryptGetUserKey
CryptContextAddRef
CryptSignHashW
CryptVerifySignatureW
CryptGetKeyParam
CryptDestroyKey
CryptDuplicateKey

api-ms-win-service-private-l1-1-0

WaitServiceState

ntdll

EtwTraceMessage

Exports

Exports

AddOrRemoveOCSPISAPIExtension
CAAccessCheck
CAAccessCheckEx
CAAddCACertificateType
CAAddCACertificateTypeEx
CACertTypeAccessCheck
CACertTypeAccessCheckEx
CACertTypeAuthzAccessCheck
CACertTypeGetSecurity
CACertTypeQuery
CACertTypeRegisterQuery
CACertTypeSetSecurity
CACertTypeUnregisterQuery
CACloneCertType
CACloseCA
CACloseCertType
CACountCAs
CACountCertTypes
CACreateAutoEnrollmentObjectEx
CACreateCertType
CACreateLocalAutoEnrollmentObject
CACreateNewCA
CADCSetCertTypePropertyEx
CADeleteCA
CADeleteCAEx
CADeleteCertType
CADeleteCertTypeEx
CADeleteLocalAutoEnrollmentObject
CAEnumCertTypes
CAEnumCertTypesEx
CAEnumCertTypesForCA
CAEnumCertTypesForCAEx
CAEnumFirstCA
CAEnumNextCA
CAEnumNextCertType
CAFindByCertType
CAFindByIssuerDN
CAFindByName
CAFindCertTypeByName
CAFreeCAProperty
CAFreeCertTypeExtensions
CAFreeCertTypeProperty
CAGetAccessRights
CAGetCACertificate
CAGetCAExpiration
CAGetCAFlags
CAGetCAProperty
CAGetCASecurity
CAGetCertTypeAccessRights
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAGetCertTypeExtensionsEx
CAGetCertTypeFlags
CAGetCertTypeFlagsEx
CAGetCertTypeKeySpec
CAGetCertTypeProperty
CAGetCertTypePropertyEx
CAGetConfigStringFromUIPicker
CAGetDN
CAInstallDefaultCertType
CAInstallDefaultCertTypeEx
CAIsCertTypeCurrent
CAIsCertTypeCurrentEx
CAIsCertTypeValid
CAIsValid
CAOIDAdd
CAOIDAddEx
CAOIDCreateNew
CAOIDCreateNewEx
CAOIDDelete
CAOIDDeleteEx
CAOIDFreeLdapURL
CAOIDFreeProperty
CAOIDGetLdapURL
CAOIDGetProperty
CAOIDGetPropertyEx
CAOIDSetProperty
CAOIDSetPropertyEx
CARemoveCACertificateType
CARemoveCACertificateTypeEx
CASetCACertificate
CASetCAExpiration
CASetCAFlags
CASetCAProperty
CASetCASecurity
CASetCertTypeExpiration
CASetCertTypeExtension
CASetCertTypeFlags
CASetCertTypeFlagsEx
CASetCertTypeKeySpec
CASetCertTypeProperty
CASetCertTypePropertyEx
CAUpdateCA
CAUpdateCAEx
CAUpdateCertType
CAUpdateCertTypeEx
CSPrintAssert
CSPrintError
CSPrintErrorLineFile
CSPrintErrorLineFile2
CSPrintErrorLineFileData
CSPrintErrorLineFileData2
CertcliGetDetailedCertcliVersionString
DbgIsSSActive
DbgLogStringInit
DbgLogStringInit2
DbgPrintf
DbgPrintfInit
DbgPrintfW
DecodeFileW
DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
EnableASPInIIS
EnableISAPIExtension
EncodeToFileW
IsASPEnabledInIIS
IsASPEnabledInIIS_New
IsISAPIExtensionEnabled
RemoveISAPIExtension
RemoveVDir
SplitConfigString
WszToMultiByteInteger
WszToMultiByteIntegerBuf
caTranslateFileTimePeriodToPeriodUnits
myAddShare
myCAPropGetDisplayName
myCAPropInfoLookup
myCAPropInfoUnmarshal
myCryptBinaryToString
myCryptBinaryToStringA
myCryptStringToBinary
myCryptStringToBinaryA
myDoesDSExist@209
myEnablePrivilege
myFreeColumnDisplayNames
myGenerateGuidSerialNumber
myGenerateGuidString
myGetErrorMessageText
myGetErrorMessageText1
myGetErrorMessageTextEx
myGetHashAlgorithmOIDInfoFromSignatureAlgorithm
myGetSidFromDomain
myGetTargetMachineDomainDnsName
myHExceptionCode
myHExceptionCodePrint
myHGetLastError
myHResultToStringRaw_old
myHResultToString_old
myIsDelayLoadHResult
myJetHResult
myLogExceptionInit
myModifyVirtualRootsAndFileShares
myNetLogonUser
myOIDHashOIDToString
myRevertSanitizeName
myRobustLdapBind
myRobustLdapBindEx
mySanitizeName
mySanitizedNameToDSName
mySanitizedNameToShortName
mylstrcmpiL

Sections

.text
Size: 298KB - Virtual size: 298KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4581fa4551d38b1424dcd44d70665734

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l2-1-0

crypt32

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-heap-l1-1-0

rpcrt4

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-2

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

certca

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-datetime-l1-1-0

wldap32

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-logon-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-eventlog-legacy-l1-1-0

cryptsp

api-ms-win-service-private-l1-1-0

ntdll

Exports

Exports

Sections

.text Size: 298KB - Virtual size: 298KB

.data Size: 4KB - Virtual size: 5KB

.idata Size: 10KB - Virtual size: 10KB

.didat Size: 512B - Virtual size: 464B

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 298KB - Virtual size: 298KB

.data
Size: 4KB - Virtual size: 5KB

.idata
Size: 10KB - Virtual size: 10KB

.didat
Size: 512B - Virtual size: 464B

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 20KB - Virtual size: 20KB