CertEnroll[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CertEnroll.dll
Size

2.7MB
MD5

88f92b33f98cb676c486379dc25e127f
SHA1

a518a858010de711ad07d940100d608b1bd6adf8
SHA256

9c2b80d7e0032516eae49ed424fd296767dd2eb6d403a6c1aa8573a2657a046c
SHA512

dbf56452b1328188a7dba948945353bea2cd15767059fb5404bc35eeafaf4a3e774afbc784fc1157f65fad8c4459a207e0d3cd0a5b0c00e0e7bdaadab74d46ec
SSDEEP

49152:3uuVZs5X4obdgO9zbhA6wGQwYrj7GrpLy1a8IBRg0:3M3b5bhLJQL7GrMI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:10 windows x86 arch:x86

c5fd6976509485982097341c42ea4bfc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

srand
wcsstr
qsort
??1exception@@UAE@XZ
_vsnprintf_s
??0exception@@QAE@XZ
??0exception@@QAE@ABV0@@Z
memmove_s
wcsrchr
calloc
__isascii
ispunct
_callnewh
_CxxThrowException
memcpy
memmove
_ftol2_sse
_CIpow
__iob_func
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABQBDH@Z
wcschr
_XcptFilter
_amsg_exit
rand
_wcsnicmp
_initterm
?terminate@@YAXXZ
_except_handler4_common
_lock
_unlock
__dllonexit
_onexit
_errno
realloc
_itow
_wtoi
iswdigit
_wcsicmp
_purecall
wcscat_s
??1type_info@@UAE@XZ
memcmp
??3@YAXPAX@Z
?what@exception@@UBEPBDXZ
wcscpy_s
malloc
wcsncpy_s
_vsnwprintf
free
memcpy_s
??_V@YAXPAX@Z
__CxxFrameHandler3
_stricmp
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
strcspn
fprintf
wcscspn
fflush
fclose
fopen
_wgetenv
fseek
ftell
fwrite
iswalpha
strchr
getenv
_vsnprintf
iswxdigit
iswspace
wcsncmp
isdigit
atoi
strncmp
fputws
ferror
_wfopen_s
fwprintf
vfwprintf
towlower
iswupper
iswlower
towupper
_strnicmp
wcsnlen
_wcserror
bsearch
memset

certca

ord705
ord841
ord839
ord704
ord802
ord842
ord446
ord467
ord457
ord455
ord846
ord452
ord453
ord845
ord450
ord444
ord434
ord442
ord820
ord703
ord430
ord844
ord416
ord843
ord413
ord808
ord813
ord801
ord445
ord414
ord420
ord838
ord824
ord707
ord602
ord809
ord601
ord869
ord412
ord485
ord487
ord404
ord405
ord486
ord819
ord479
ord440
ord435
ord436
ord449
ord462
ord458
ord456
ord468
ord438
ord454
ord847
ord823
ord840
ord460

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
ReleaseMutex
DeleteCriticalSection
LeaveCriticalSection
AcquireSRWLockShared
CreateEventExW
InitializeCriticalSection
WaitForSingleObject
OpenSemaphoreW
CreateEventW
SetEvent
ReleaseSRWLockShared
ReleaseSemaphore
AcquireSRWLockExclusive
EnterCriticalSection
ReleaseSRWLockExclusive
CreateSemaphoreExW
CreateMutexExW
WaitForSingleObjectEx
InitializeCriticalSectionEx

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter
RaiseException
SetLastError

api-ms-win-core-libraryloader-l1-2-0

LockResource
DisableThreadLibraryCalls
GetModuleFileNameW
GetModuleHandleExW
FreeLibrary
LoadStringW
LoadResource
GetModuleFileNameA
FindResourceExW
SizeofResource
GetModuleHandleW
LoadLibraryExW
GetProcAddress

api-ms-win-core-registry-l1-1-0

RegDeleteValueW
RegDeleteKeyExW
RegQueryInfoKeyW
RegLoadKeyW
RegUnLoadKeyW
RegQueryValueExW
RegGetValueW
RegOpenCurrentUser
RegSetValueExW
RegCloseKey
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister
EventSetInformation

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerW

api-ms-win-core-string-l1-1-0

CompareStringEx
CompareStringW
MultiByteToWideChar
WideCharToMultiByte
FoldStringW
CompareStringOrdinal

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime
GetVersionExW
GetLocalTime
GetSystemTime

crypt32

CertVerifySubjectCertificateContext
CertEnumCertificateContextProperties
CryptHashPublicKeyInfo
CryptMsgOpenToEncode
CryptMsgUpdate
CryptMsgGetParam
CryptMsgControl
CertGetSubjectCertificateFromStore
PFXImportCertStore
CertSerializeCertificateStoreElement
CertCreateCRLContext
CertFreeCRLContext
CertGetPublicKeyLength
CryptVerifyCertificateSignatureEx
CryptRegisterOIDInfo
CertControlStore
CryptBinaryToStringW
CertNameToStrW
CertGetEnhancedKeyUsage
CertDeleteCertificateFromStore
CryptEnumOIDInfo
CertDuplicateStore
CryptAcquireCertificatePrivateKey
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertAddCertificateLinkToStore
CryptMsgGetAndVerifySigner
CertFindAttribute
CryptVerifyMessageSignature
CryptMsgCalculateEncodedLength
CryptMsgDuplicate
CryptMemFree
CryptVerifyTimeStampSignature
CryptUnprotectMemory
CryptProtectMemory
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CryptHashCertificate
CertDuplicateCertificateContext
CertFindCTLInStore
CertRegisterPhysicalStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertCreateCertificateContext
CertComparePublicKeyInfo
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CryptDecodeObjectEx
CryptProtectData
CertSetCertificateContextProperty
CryptVerifyCertificateSignature
CryptExportPKCS8
CryptImportPublicKeyInfo
CertGetIntendedKeyUsage
CertStrToNameW
PFXIsPFXBlob
CryptDecryptMessage
CryptSignMessage
CryptFormatObject
CryptStringToBinaryW
CryptQueryObject
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptMsgOpenToDecode
CertGetCRLContextProperty
CryptSignCertificate
CryptExportPublicKeyInfoEx
CryptEncodeObjectEx
CertGetIssuerCertificateFromStore
CryptDecodeObject
CryptMsgClose
CertFindExtension
CertOpenStore
CertSaveStore
CertGetNameStringW
CertFindCertificateInStore
CryptEncryptMessage
CryptFindOIDInfo
CertCloseStore
CertGetCertificateContextProperty
CertFreeCertificateContext
CryptHashCertificate2

api-ms-win-core-file-l1-1-0

SetFilePointer
SetEndOfFile
GetFileType
CompareFileTime
CreateDirectoryW
CreateFileW
GetFileSize
LocalFileTimeToFileTime
GetTempFileNameW
WriteFile
FileTimeToLocalFileTime
FindClose
GetFullPathNameW
GetFileTime
FindNextFileW
DeleteFileW
FindFirstFileW

api-ms-win-core-localization-l1-2-0

GetACP
IdnToAscii
GetLocaleInfoW
FormatMessageW
IdnToUnicode

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetStdHandle
SearchPathW

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetProcessId
GetCurrentProcessId
GetCurrentProcess
OpenProcessToken
CreateThread

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringA
DebugBreak
OutputDebugStringW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
TrySubmitThreadpoolCallback
CallbackMayRunLong
FreeLibraryWhenCallbackReturns
SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-security-base-l1-1-0

GetLengthSid
AllocateAndInitializeSid
GetSecurityDescriptorLength
CopySid
IsValidSecurityDescriptor
EqualSid
CreateWellKnownSid
ImpersonateLoggedOnUser
SetSecurityDescriptorControl
RevertToSelf
DuplicateTokenEx
FreeSid
GetTokenInformation

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

dsparse

DsGetRdnW

rpcrt4

CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
IUnknown_Release_Proxy
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
NdrOleFree
CStdStubBuffer_Connect
UuidCreate
UuidToStringW
RpcStringFreeW
UuidFromStringW
UuidIsNil
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
IUnknown_AddRef_Proxy
NdrClientCall4
RpcBindingFree
RpcEpResolveBinding
NdrStubCall2
NdrStubForwardingFunction
CStdStubBuffer_Invoke
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrCStdStubBuffer2_Release
RpcStringBindingComposeW
RpcBindingFromStringBindingW
NdrOleAllocate
RpcExceptionFilter
RpcBindingSetAuthInfoExW
CStdStubBuffer_CountRefs

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient10
ObjectStublessClient16
ObjectStublessClient6
NdrProxyForwardingFunction3
CStdStubBuffer2_Connect
NdrProxyForwardingFunction5
NdrProxyForwardingFunction4
ObjectStublessClient19
CStdStubBuffer2_QueryInterface
ObjectStublessClient13
ObjectStublessClient17
CStdStubBuffer2_Disconnect
ObjectStublessClient23
ObjectStublessClient15
ObjectStublessClient20
ObjectStublessClient18
ObjectStublessClient3
ObjectStublessClient22
CStdStubBuffer2_CountRefs
ObjectStublessClient11
ObjectStublessClient14
ObjectStublessClient7
ObjectStublessClient8
ObjectStublessClient21
ObjectStublessClient12
ObjectStublessClient9

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetDateFormatA
GetTimeFormatA
GetTimeFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-psapi-l1-1-0

K32GetProcessImageFileNameW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-security-logon-l1-1-0

LogonUserExW

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage
GetSystemDefaultUILanguage

ntdll

RtlCapabilityCheck
RtlCheckTokenMembershipEx
RtlCheckTokenMembership
RtlSubAuthoritySid
RtlInitializeSid
RtlGetPersistedStateLocation
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
RtlEqualSid
NtQueryInformationToken
RtlCheckTokenCapability
WinSqmSetString
RtlInitUnicodeString
NtQuerySystemInformationEx
RtlNtStatusToDosError
EtwTraceMessage
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister
WinSqmIncrementDWORD

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

CreateLogonCertificateRequest
DeleteLogonCertificateRequest
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
ImportPFXToProvider
ImportPFXToProviderFreeData
InstallLogonCertificateResponse
IsLogonCertificateTemplateAvailable
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace
UpdateMachinePolicyConfigurationForTemplate

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c5fd6976509485982097341c42ea4bfc

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

certca

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

crypt32

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-timezone-l1-1-0

dsparse

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-localization-l1-2-2

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-logon-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.data Size: 14KB - Virtual size: 19KB

.idata Size: 15KB - Virtual size: 15KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 223KB - Virtual size: 222KB

.reloc Size: 166KB - Virtual size: 165KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 14KB - Virtual size: 19KB

.idata
Size: 15KB - Virtual size: 15KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 223KB - Virtual size: 222KB

.reloc
Size: 166KB - Virtual size: 165KB