CertEnroll[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

CertEnroll.dll
Size

2.5MB
MD5

46368e4e463104e133b8ce61ae5a3f60
SHA1

1b5b61dd2e2248f250ab9df206d288756de0507b
SHA256

d3da1e9964568d51645d337f8d15655287067cbd6aac93b12b5f9d76da411c5b
SHA512

386a04a922054c67b85dcff44544f5c9adf8e77151f7f2109373183c41bdada795f69fb760184f0fb1dd8af6397e057ae7ed72964328449fd58b897efc668392
SSDEEP

49152:dHytmHWAcw4kcw4kzbzMT/UwtfMHIk+WChJEON4szO:dHykvIUwtTk+hJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:10 windows x86 arch:x86

c0f4d5589225f7485ae3673ac83f7934

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

_XcptFilter
_initterm
?terminate@@YAXXZ
__CxxFrameHandler3
??1type_info@@UAE@XZ
_lock
_unlock
__dllonexit
_onexit
_errno
_CxxThrowException
realloc
_callnewh
_except_handler4_common
memcmp
_ftol2_sse
_CIpow
__iob_func
memset
calloc
wcsrchr
qsort
wcsstr
srand
wcschr
_stricmp
rand
_wcsnicmp
_itow
_wtoi
iswdigit
?what@exception@@UBEPBDXZ
_wcsicmp
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
??0exception@@QAE@ABQBD@Z
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
strcspn
fprintf
wcscspn
fflush
fclose
fopen
_wgetenv
fseek
ftell
fwrite
iswalpha
strchr
getenv
_vsnprintf
iswxdigit
iswspace
wcsncmp
isdigit
atoi
strncmp
fputws
ferror
_wfopen_s
fwprintf
memmove
vfwprintf
towlower
iswupper
iswlower
towupper
_strnicmp
bsearch
_vsnwprintf
free
memcpy_s
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@XZ
memmove_s
_amsg_exit
memcpy

certca

ord869
ord412
ord485
ord487
ord843
ord404
ord416
ord844
ord430
ord703
ord405
ord442
ord434
ord444
ord450
ord486
ord845
ord453
ord819
ord479
ord452
ord846
ord455
ord457
ord460
ord420
ord435
ord413
ord446
ord842
ord436
ord705
ord704
ord841
ord840
ord839
ord449
ord462
ord458
ord456
ord468
ord438
ord454
ord847
ord838
ord601
ord809
ord824
ord602
ord823
ord820
ord445
ord801
ord813
ord808
ord467
ord414
ord440
ord707
ord802

api-ms-win-core-synch-l1-2-0

DeleteCriticalSection
WaitForSingleObject
SetEvent
Sleep
InitializeSRWLock
CreateEventExW
LeaveCriticalSection
CreateEventW
AcquireSRWLockShared
EnterCriticalSection
ReleaseSRWLockShared
InitializeCriticalSection
ReleaseSRWLockExclusive
InitOnceExecuteOnce
AcquireSRWLockExclusive

api-ms-win-core-errorhandling-l1-1-1

SetLastError
GetLastError
SetUnhandledExceptionFilter
RaiseException
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetModuleHandleW
DisableThreadLibraryCalls
LoadResource
SizeofResource
GetProcAddress
GetModuleFileNameW
LockResource
GetModuleFileNameA
FindResourceExW
GetModuleHandleExW
LoadStringW

api-ms-win-core-registry-l1-1-0

RegEnumValueW
RegGetValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegOpenCurrentUser
RegQueryValueExW
RegCloseKey
RegQueryInfoKeyW
RegDeleteKeyExW
RegDeleteValueW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalReAlloc
LocalAlloc

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventSetInformation
EventWriteTransfer
EventUnregister

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
CompareStringW
CompareStringOrdinal
FoldStringW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetSystemTime
GetVersionExW
GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime
GetLocalTime

api-ms-win-core-handle-l1-1-0

CloseHandle

crypt32

CertOpenStore
CertFindExtension
CryptFindOIDInfo
CertCloseStore
CryptSignCertificate
CryptExportPublicKeyInfoEx
CryptMsgOpenToDecode
CryptEncodeObjectEx
CertFreeCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CryptDecodeObject
CertSetCertificateContextProperty
CertGetCRLContextProperty
CertCreateCertificateChainEngine
CryptProtectData
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CryptSignMessage
CryptDecryptMessage
CertRegisterPhysicalStore
CryptFormatObject
PFXIsPFXBlob
CertStrToNameW
CertGetIntendedKeyUsage
CryptImportPublicKeyInfo
CertFindCTLInStore
CertDuplicateCertificateContext
CryptHashCertificate
CertFreeCRLContext
CertCreateCRLContext
CertDeleteCertificateFromStore
CertSerializeCertificateStoreElement
PFXImportCertStore
CertGetSubjectCertificateFromStore
CryptMsgControl
CryptMsgGetParam
CryptMsgUpdate
CryptMsgOpenToEncode
CryptHashPublicKeyInfo
CertEnumCertificateContextProperties
CertFreeCertificateChainEngine
CryptHashCertificate2
CertControlStore
CertVerifySubjectCertificateContext
CryptBinaryToStringW
CertGetPublicKeyLength
CryptVerifyCertificateSignatureEx
CryptRegisterOIDInfo
CryptEnumOIDInfo
CertDuplicateStore
CryptAcquireCertificatePrivateKey
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertAddCertificateLinkToStore
CertComparePublicKeyInfo
CryptMsgGetAndVerifySigner
CertFindAttribute
CryptQueryObject
CertGetIssuerCertificateFromStore
CryptMsgClose
CertGetNameStringW
CryptEncryptMessage
CryptVerifyMessageSignature
CryptMsgCalculateEncodedLength
CryptMsgDuplicate
CertSaveStore
CryptMemFree
CryptVerifyTimeStampSignature
CryptUnprotectMemory
CryptProtectMemory
CryptVerifyCertificateSignature
CertCreateCertificateContext
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CryptDecodeObjectEx
CertGetEnhancedKeyUsage
CertNameToStrW
CryptStringToBinaryW

api-ms-win-core-file-l1-2-1

GetFileTime
SetEndOfFile
CreateDirectoryW
SetFilePointer
WriteFile
GetFullPathNameW
GetTempFileNameW
GetFileSize
FileTimeToLocalFileTime
CreateFileW
CompareFileTime
GetTempPathW
GetFileType
LocalFileTimeToFileTime
FindClose
FindFirstFileW
DeleteFileW
FindNextFileW

api-ms-win-core-localization-l1-2-1

IdnToUnicode
IdnToAscii
GetACP
GetLocaleInfoW
FormatMessageW

api-ms-win-core-processenvironment-l1-2-0

SearchPathW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetStdHandle
GetCommandLineW

api-ms-win-security-base-l1-2-0

RevertToSelf
IsValidSecurityDescriptor
GetSecurityDescriptorLength
CopySid
ImpersonateLoggedOnUser
FreeSid
GetLengthSid
SetSecurityDescriptorControl
AllocateAndInitializeSid
DuplicateTokenEx
GetTokenInformation
EqualSid
CreateWellKnownSid

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
TerminateProcess
GetProcessId
GetCurrentProcessId
GetCurrentThreadId
OpenProcess
CreateThread
OpenProcessToken

dsparse

DsGetRdnW

rpcrt4

UuidCreate
NdrCStdStubBuffer2_Release
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
CStdStubBuffer_Invoke
NdrStubForwardingFunction
NdrStubCall2
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_QueryInterface
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect
NdrClientCall4
RpcBindingFree
RpcStringFreeW
RpcEpResolveBinding
RpcExceptionFilter
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
CStdStubBuffer_CountRefs

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient6
ObjectStublessClient12
ObjectStublessClient14
ObjectStublessClient11
CStdStubBuffer2_CountRefs
ObjectStublessClient22
ObjectStublessClient3
ObjectStublessClient18
ObjectStublessClient20
ObjectStublessClient15
CStdStubBuffer2_Connect
ObjectStublessClient23
CStdStubBuffer2_Disconnect
NdrProxyForwardingFunction3
ObjectStublessClient21
ObjectStublessClient7
ObjectStublessClient16
ObjectStublessClient13
CStdStubBuffer2_QueryInterface
ObjectStublessClient19
ObjectStublessClient9
ObjectStublessClient8
ObjectStublessClient10
ObjectStublessClient17
NdrProxyForwardingFunction4
NdrProxyForwardingFunction5

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-debug-l1-1-1

OutputDebugStringW
OutputDebugStringA

api-ms-win-core-heap-l1-2-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-datetime-l1-1-1

GetTimeFormatW
GetTimeFormatA
GetDateFormatW
GetDateFormatA

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-memory-l1-1-2

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-libraryloader-l1-2-2

FindResourceW

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
CallbackMayRunLong
TrySubmitThreadpoolCallback

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-3-0

GetUserDefaultUILanguage
GetSystemDefaultUILanguage

ntdll

RtlCheckTokenCapability
RtlCapabilityCheck
RtlCheckTokenMembershipEx
RtlCheckTokenMembership
RtlSubAuthoritySid
RtlInitializeSid
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
RtlEqualSid
NtQueryInformationToken
WinSqmIncrementDWORD
WinSqmSetString
RtlInitUnicodeString
EtwTraceMessage
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
ImportPFXToProvider
ImportPFXToProviderFreeData
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace
UpdateMachinePolicyConfigurationForTemplate

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 214KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c0f4d5589225f7485ae3673ac83f7934

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

certca

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-handle-l1-1-0

crypt32

api-ms-win-core-file-l1-2-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

dsparse

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-heap-l1-2-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-console-l1-1-0

api-ms-win-core-memory-l1-1-2

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-core-localization-l1-2-2

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-3-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.data Size: 13KB - Virtual size: 18KB

.idata Size: 14KB - Virtual size: 13KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 214KB - Virtual size: 214KB

.reloc Size: 148KB - Virtual size: 147KB

.text
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 13KB - Virtual size: 18KB

.idata
Size: 14KB - Virtual size: 13KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 214KB - Virtual size: 214KB

.reloc
Size: 148KB - Virtual size: 147KB