TpmCoreProvisioning[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

TpmCoreProvisioning.dll
Size

440KB
MD5

9208042a5051c9378fbf4e854a6b1427
SHA1

7b1d603f563edc6f9a3061ab0e8450aaafd450b8
SHA256

189ce27f1e2460159fba7521e1041fdb62693cf07bb10269277d74ff438d8d5a
SHA512

7d3e3a954e30d15d1110a9d459adc79cff9718f467c01231b7a00fcda3e347590cc41cddbe515ff64561fdc4dff51d83a325369d5e1ecb032b9cb9f44ae47bdf
SSDEEP

12288:xjetGTM+hjWQbXq+9q6pfxkr32LIODOYBf1:xjet6ThjWQbXq+9q6pf0m

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
TpmCoreProvisioning.dll

Files

TpmCoreProvisioning.dll
.dll windows:10 windows x86 arch:x86

228e409f81397c06557f15d267dfff31

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

TpmCoreProvisioning.pdb

Imports

msvcrt

__CxxFrameHandler3
memcmp
_vsnwprintf
_except_handler4_common
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
_wcsnicmp
mbstowcs_s
wcscpy_s
_vsnprintf
swprintf_s
_wcsicmp
memcpy_s
wcstoul
strtoul
memcpy
memset

ntdll

AlpcGetMessageAttribute
ZwClose
RtlAllocateHeap
RtlFreeHeap
AlpcInitializeMessageAttribute
EtwEventWrite
vDbgPrintEx
TpWaitForAlpcCompletion
ZwAlpcConnectPort
RtlWaitOnAddress
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
ZwAlpcSendWaitReceivePort
ZwAlpcDisconnectPort
TpAllocAlpcCompletion
RtlWakeAddressAll
ZwAlpcCancelMessage
NtQueryValueKey
NtClose
RtlInitUnicodeString
NtOpenKey
RtlNtStatusToDosError
RtlAcquirePrivilege
RtlReleasePrivilege
RtlQueryWnfStateData
RtlCompareMemory
RtlPublishWnfStateData

crypt32

CryptStringToBinaryW
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CryptBinaryToStringA
CryptImportPublicKeyInfoEx2
CertCreateCertificateContext
CertFreeCertificateContext
CryptBinaryToStringW
CertAddCertificateContextToStore

ncrypt

BCryptEncrypt
NCryptFreeObject
NCryptFinalizeKey
NCryptExportKey
NCryptOpenStorageProvider
NCryptGetProperty
NCryptCreatePersistedKey
NCryptSetProperty
NCryptDeleteKey
NCryptImportKey
NCryptOpenKey
NCryptCreateClaim
NCryptDecrypt
BCryptGenRandom
BCryptVerifySignature

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryValueExW
RegFlushKey
RegOpenKeyExW
RegGetValueW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapSize
HeapFree
HeapAlloc

api-ms-win-core-synch-l1-2-0

AcquireSRWLockExclusive
WaitForSingleObjectEx
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
InitializeSRWLock
InitializeCriticalSection
CreateMutexW
OpenMutexW
DeleteCriticalSection
WaitForSingleObject
ReleaseMutex
EnterCriticalSection
Sleep
LeaveCriticalSection
InitOnceExecuteOnce

api-ms-win-security-base-l1-2-0

RevertToSelf
ImpersonateLoggedOnUser
IsValidSecurityDescriptor
GetSecurityDescriptorLength

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventWrite
EventActivityIdControl
EventUnregister
EventRegister

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW
MultiByteToWideChar

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
RaiseException
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
GetProcAddress
GetModuleHandleExW
GetModuleFileNameW
LoadStringW
LoadLibraryExW
FreeLibrary
LoadResource
LockResource
DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-processenvironment-l1-2-0

GetEnvironmentVariableW

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetTickCount64
GetSystemWindowsDirectoryW
GetLocalTime

api-ms-win-core-firmware-l1-1-0

GetFirmwareEnvironmentVariableW

winhttp

WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpConnect
WinHttpSendRequest
WinHttpCloseHandle
WinHttpSetOption
WinHttpOpenRequest
WinHttpReadData
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpOpen
WinHttpReceiveResponse

api-ms-win-core-com-l1-1-1

CoInitializeEx
CoUninitialize
CoCreateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-libraryloader-l1-2-2

FindResourceW
LoadLibraryW

oleaut32

VariantClear
VarBstrCat
SysAllocString
SysFreeString
VariantInit
SysStringLen
SysAllocStringByteLen
SysStringByteLen
SysAllocStringLen

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-processthreads-l1-1-2

GetCurrentThreadId
SetThreadToken
GetCurrentProcessId
GetCurrentProcess
GetCurrentThread
OpenThreadToken
TerminateProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

logoncli

DsGetDcNameW

netutils

NetApiBufferFree

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DllCanUnloadNow
Tpm20ResetLockoutCountIfNeeded
TpmAddBlockedCommand
TpmCertDeleteHealthEndpoint
TpmCertGetEkCertFromWeb
TpmCertGetFormattedUrl
TpmCertGetFwLinkId
TpmCertGetHealthCert
TpmCertGetHealthCertFromWeb
TpmCertGetHealthCorrelationId
TpmCertGetHealthEndpoint
TpmCertGetHealthForceRetrieve
TpmCertGetHealthStatusCode
TpmCertGetHealthStatusRequestBlob
TpmCertGetTpmManufacturerId
TpmCertGetTpmManufacturerId12
TpmCertGetWindowsAik
TpmCertInstallNvEkCerts
TpmCertIsHealthCertOnBootEnabled
TpmCertQueryEkPub
TpmCertSetHealthEndpoint
TpmCertSetHealthForceRetrieve
TpmCertSetHealthStatusCode
TpmCertVerifyHealthCertFromWeb
TpmChangeOwnerAuth
TpmCheckCreateWindowsAIK
TpmCheckIFXRSAKeyGenVulnerability
TpmClear
TpmConvertToOwnerAuth
TpmCreateEndorsementKeyPair
TpmCreateHealthAttestationClaim
TpmCreateHealthStatusClaim
TpmDisable
TpmDisableAutoProvisioning
TpmEnable
TpmEnableAutoProvisioning
TpmGatherTpmData
TpmGetCapLockoutInfo
TpmGetDictionaryAttackParameters
TpmGetEndorsementKeyCertificateState
TpmGetOrderlyShutdownInfo
TpmGetOwnerAuth
TpmGetOwnerAuthForEscrow
TpmGetOwnerAuthStatus
TpmGetOwnershipAuthBits
TpmGetPhysicalPresenceConfirmationStatus
TpmGetPhysicalPresenceRequest
TpmGetPhysicalPresenceResponse
TpmGetPhysicalPresenceTransition
TpmGetRandomAuthValue
TpmGetSignedEKFromVendorCommand
TpmGetSrkADThumbprint
TpmGetSrkPublicKeyModulus
TpmGetTcgLog
TpmGet_FunctionPointers
TpmGet_IsActivated_InitialValue
TpmGet_IsEnabled_InitialValue
TpmGet_IsOwned_InitialValue
TpmGet_IsPpiVersion12
TpmGet_IsTpmPresent
TpmGet_IsTpmVersion20
TpmGet_ManufacturerId
TpmGet_ManufacturerVersion
TpmGet_ManufacturerVersionInfo
TpmGet_PhysicalPresenceVersionInfo
TpmGet_SpecVersion
TpmGet_TpmVersionInfo
TpmImportOwnerAuth
TpmIsActivated
TpmIsAutoProvisioningEnabled
TpmIsCommandBlocked
TpmIsCommandPresent
TpmIsEnabled
TpmIsEndorsementKeyPairPresent
TpmIsFIPS
TpmIsKeyAttestationCapable
TpmIsOwned
TpmIsOwnerClearDisabled
TpmIsOwnershipAllowed
TpmIsPhysicalClearDisabled
TpmIsPhysicalPresenceHardwareEnabled
TpmIsReady
TpmIsReadyInformation
TpmIsSrkAuthCompatible
TpmManufacturerId_From_TpmVersionInfo
TpmManufacturerVersionInfo_From_TpmVersionInfo
TpmManufacturerVersion_From_TpmVersionInfo
TpmOwnerAuthEscrowed
TpmPrepForNgc
TpmProvision
TpmRemoveBlockedCommand
TpmRemoveRegisteredWindowsAIK
TpmResetAuthLockOut
TpmResetSrkAuth
TpmRetrieveEkCertOrReschedule
TpmRetrieveEkCertificate
TpmRetrieveHealthCertOrReschedule
TpmRetrieveHealthCertificate
TpmSelfTest
TpmSetDictionaryAttackParameters
TpmSetInstance
TpmSetPhysicalPresenceRequest
TpmSetPhysicalPresenceRequestEx
TpmSet_FunctionPointers
TpmSpecVersion_From_TpmVersionInfo
TpmTakeOwnership
TpmVerifyDeviceHealth

Sections

.text
Size: 410KB - Virtual size: 410KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

228e409f81397c06557f15d267dfff31

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

crypt32

ncrypt

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processenvironment-l1-2-0

rpcrt4

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-firmware-l1-1-0

winhttp

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-libraryloader-l1-2-2

oleaut32

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-profile-l1-1-0

logoncli

netutils

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 410KB - Virtual size: 410KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 7KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 156B

.rsrc Size: 5KB - Virtual size: 5KB

.reloc Size: 14KB - Virtual size: 14KB

.text
Size: 410KB - Virtual size: 410KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 7KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 156B

.rsrc
Size: 5KB - Virtual size: 5KB

.reloc
Size: 14KB - Virtual size: 14KB