CertEnroll[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CertEnroll.dll
Size

2.2MB
MD5

45b32760ee7f74ae0d8657286c2b274c
SHA1

3cecc4f734db87b6f74b7fc4a820916ff1cd4ddc
SHA256

feee3f4b8ae7bd9f3640b8672df860bf1cfb82c6121d25c0a909d3988762c353
SHA512

d21e7d2b04f5a4b9841a9cc04169fbac032374641921292592a584770df642e56745b12805518620bf96d06af132679669cdf8ec10836b4e4362d2d4a3f7548e
SSDEEP

49152:RmnU9qTOeRpWijmAPWk5M1Tcgo7IZ7cjIuKvH8URTLUkD8AlbqOdtJxdu:RcTOe312Tcgo7IZ7cjIuKvH8UREkZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:6 windows x86 arch:x86

0f2833d90e717b513a903d5595cdb267

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

_wgetenv
strchr
getenv
isdigit
atoi
strncmp
fputws
fflush
ferror
_wfopen_s
fwprintf
fclose
strcspn
iswlower
fprintf
towlower
fopen
_errno
ftell
iswupper
fwrite
_vsnprintf
__iob_func
vfwprintf
memmove
wcsrchr
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
calloc
qsort
wcsstr
srand
wcschr
_stricmp
_lock
wcscspn
iswxdigit
towupper
memset
iswspace
iswalpha
_CxxThrowException
__CxxFrameHandler3
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
??1type_info@@UAE@XZ
fseek
_strnicmp
bsearch
rand
_itow
_wtoi
iswdigit
?what@exception@@UBEPBDXZ
_wcsicmp
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
_unlock
__dllonexit
??0exception@@QAE@ABQBD@Z
_onexit
free
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
realloc
_except_handler4_common
memcmp
??0exception@@QAE@XZ
_ftol2_sse
_CIpow
wcsncmp
memmove_s
memcpy_s
_wcsnicmp
_vsnwprintf
memcpy

ntdll

RtlEqualSid
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
RtlAllocateHeap
RtlFreeHeap
RtlAllocateAndInitializeSid
NtQueryInformationToken
RtlFreeSid
RtlCheckTokenCapability
WinSqmSetString
WinSqmIncrementDWORD
EtwTraceMessage
RtlInitUnicodeString
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister
NtQueryInformationProcess

crypt32

CryptFindOIDInfo
CryptVerifyCertificateSignature
CryptDecodeObjectEx
CryptMsgOpenToDecode
CertGetEnhancedKeyUsage
CertNameToStrW
CryptBinaryToStringW
CertVerifySubjectCertificateContext
CertControlStore
CertGetCRLContextProperty
CryptStringToBinaryW
CertSaveStore
CryptExportPublicKeyInfo
CertDeleteCertificateFromStore
CryptHashCertificate
CertDuplicateCertificateContext
CertFindCTLInStore
CertRegisterPhysicalStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptMsgCalculateEncodedLength
CryptVerifyMessageSignature
CryptVerifyTimeStampSignature
CryptMemFree
CryptUnprotectMemory
CryptProtectMemory
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CryptEncryptMessage
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetCertificateChain
CertGetNameStringW
CryptMsgClose
CryptProtectData
CertSetCertificateContextProperty
CryptSignCertificate
CryptDecodeObject
CertOpenStore
CertFindCertificateInStore
CertGetCertificateContextProperty
CertCloseStore
CertFindExtension
CryptSignMessage
CryptDecryptMessage
CertGetIssuerCertificateFromStore
CryptFormatObject
PFXImportCertStore
CertStrToNameW
CertGetIntendedKeyUsage
CryptAcquireCertificatePrivateKey
CertFindAttribute
CryptMsgGetAndVerifySigner
CertComparePublicKeyInfo
CertAddCertificateLinkToStore
CertAddEncodedCertificateToStore
PFXExportCertStoreEx
CertDuplicateStore
CryptEnumOIDInfo
CryptRegisterOIDInfo
CryptVerifyCertificateSignatureEx
CertGetPublicKeyLength
CryptHashCertificate2
CertEnumCertificateContextProperties
CryptHashPublicKeyInfo
CertFreeCRLContext
CertCreateCRLContext
CertGetSubjectCertificateFromStore
CryptMsgOpenToEncode
CertCreateCertificateContext
CertFreeCertificateContext
CryptMsgUpdate
CryptImportPublicKeyInfo
CryptEncodeObjectEx
CryptQueryObject
CryptMsgGetParam
CryptMsgControl

api-ms-win-core-synch-l1-2-0

Sleep
SetEvent
WaitForSingleObject
InitOnceExecuteOnce
InitializeSRWLock
CreateEventExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateEventW
InitializeCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
SetLastError
GetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
SizeofResource
GetModuleFileNameW
LoadResource
LockResource
FindResourceExW
LoadStringW
GetModuleHandleW
GetModuleHandleExW
GetProcAddress
FreeLibrary
DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumValueW
RegQueryValueExW
RegOpenCurrentUser
RegDeleteValueW
RegDeleteKeyExW

api-ms-win-core-string-l2-1-0

CharLowerW
CharNextW

api-ms-win-core-string-l1-1-0

FoldStringW
MultiByteToWideChar
CompareStringOrdinal
WideCharToMultiByte
CompareStringW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetComputerNameExW
GetSystemTime
GetTickCount
GetVersionExW
GetLocalTime

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-file-l1-2-1

LocalFileTimeToFileTime
FindClose
CreateFileW
WriteFile
GetFileType
FindNextFileW
DeleteFileW
FindFirstFileW
FileTimeToLocalFileTime
CompareFileTime
SetEndOfFile
SetFilePointer
GetFullPathNameW
GetFileTime
GetTempFileNameW
GetTempPathW
CreateDirectoryW
GetFileSize

api-ms-win-core-localization-l1-2-1

IdnToUnicode
FormatMessageW
IdnToAscii
GetLocaleInfoW
GetACP

api-ms-win-core-processenvironment-l1-2-0

GetEnvironmentVariableW
GetCommandLineW
ExpandEnvironmentStringsW
GetStdHandle
SearchPathW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-processthreads-l1-1-2

OpenProcess
OpenProcessToken
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
CreateThread
TerminateProcess
GetProcessId

api-ms-win-security-base-l1-2-0

CreateWellKnownSid
GetTokenInformation
EqualSid
SetSecurityDescriptorControl
RevertToSelf
IsValidSecurityDescriptor
GetSecurityDescriptorLength
CopySid
GetLengthSid
AllocateAndInitializeSid
ImpersonateLoggedOnUser
FreeSid

rpcrt4

IUnknown_Release_Proxy
UuidCreate
RpcStringBindingComposeW
RpcEpResolveBinding
RpcBindingSetAuthInfoExW
RpcBindingFree
RpcStringFreeW
CStdStubBuffer_Connect
CStdStubBuffer_Invoke
RpcExceptionFilter
NdrClientCall2
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
IUnknown_AddRef_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
RpcBindingFromStringBindingW
NdrStubCall2
NdrDllGetClassObject
CStdStubBuffer_CountRefs
NdrOleAllocate
NdrStubForwardingFunction
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-datetime-l1-1-1

GetTimeFormatA
GetDateFormatW
GetDateFormatA
GetTimeFormatW

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
CreateFileMappingW
MapViewOfFile

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-kernel32-legacy-l1-1-1

FindResourceW
LoadLibraryW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrlenW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-2-0

GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LCIDToLocaleName

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

certca

ord445
ord823
ord820
ord454
ord438
ord468
ord456
ord458
ord462
ord449
ord436
ord435
ord440
ord479
ord819
ord813
ord708
ord486
ord809
ord847
ord706
ord487
ord485
ord412
ord869
ord601
ord602
ord707
ord824
ord838
ord420
ord414
ord413
ord843
ord416
ord844
ord430
ord703
ord442
ord434
ord404
ord801
ord808
ord444
ord450
ord405
ord839
ord841
ord840
ord704
ord705
ord802
ord842
ord446
ord467
ord460
ord457
ord455
ord846
ord452
ord453
ord845

combase

ord13
ord18
ord15
ord19
ord34
ord21
ord8
ord20
ord2
ord9
ord5
ord12
ord10
ord32
ord17
ord6
ord14
ord22
ord7
ord16
ord11
ord33

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
CallbackMayRunLong
TrySubmitThreadpoolCallback

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-shell-shellfolders-l1-1-0

SHGetFolderPathW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 473B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0f2833d90e717b513a903d5595cdb267

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

crypt32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

rpcrt4

api-ms-win-core-heap-l1-2-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

certca

combase

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-shell-shellfolders-l1-1-0

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.orpc Size: 512B - Virtual size: 473B

.data Size: 15KB - Virtual size: 18KB

.idata Size: 13KB - Virtual size: 12KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 201KB - Virtual size: 201KB

.reloc Size: 127KB - Virtual size: 126KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.orpc
Size: 512B - Virtual size: 473B

.data
Size: 15KB - Virtual size: 18KB

.idata
Size: 13KB - Virtual size: 12KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 201KB - Virtual size: 201KB

.reloc
Size: 127KB - Virtual size: 126KB