CertEnroll[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CertEnroll.dll
Size

2.5MB
MD5

f8bfe5788c36737a2dac8afca2d4bec3
SHA1

2db4ce87a0c9125bc30e4d5883c961d80657d101
SHA256

451c8804faa1918028ff1fe77f9cc21b205cc56660f74b7a89695642500073b0
SHA512

c9962a1b572e6d16d4641933f7c28b9de6132e5aa25a79f8a2e15c72f48b147d7e2ca2493f4cc18eda4204b73f218afe09b9c5e46bead54d1a8e0413cc614bca
SSDEEP

24576:LQo46P5rquAcuGWGJuQ4acyHXXnRB4TZEcoR5rlJKQftKOPH05B8Cafi:LPHrdJuQTpHnRB4Tup5rlJKQfsB8C

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:6 windows x64 arch:x64

23aae1597f39e1894562ce7c57e65c33

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

iswupper
towlower
iswlower
towupper
memset
__C_specific_handler
_CxxThrowException
__CxxFrameHandler3
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_lock
__dllonexit
_onexit
realloc
pow
memcpy
memcmp
iswxdigit
iswspace
iswalpha
_vsnprintf
vfwprintf
fprintf
fflush
wcsncmp
fwrite
ftell
fseek
_errno
fopen
strcspn
fclose
fwprintf
_wfopen_s
ferror
fputws
strncmp
atoi
isdigit
getenv
strchr
_wgetenv
_unlock
wcscspn
_strnicmp
bsearch
wcscmp
__iob_func
memmove
wcsrchr
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
calloc
qsort
wcsstr
srand
wcschr
_stricmp
rand
_itow
_wtoi
iswdigit
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
_wcsicmp
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
free
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
memmove_s
memcpy_s
_wcsnicmp
_vsnwprintf
strcmp

ntdll

RtlEqualSid
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
RtlAllocateHeap
RtlFreeHeap
RtlAllocateAndInitializeSid
NtQueryInformationToken
RtlFreeSid
RtlCheckTokenCapability
WinSqmSetString
WinSqmIncrementDWORD
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EtwTraceMessage
RtlInitUnicodeString
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister
NtQueryInformationProcess

crypt32

CryptAcquireCertificatePrivateKey
CryptFindOIDInfo
CertCloseStore
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenStore
CryptDecodeObject
CertSetCertificateContextProperty
CryptProtectData
CertGetCRLContextProperty
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertRegisterPhysicalStore
CryptStringToBinaryW
CertFindCTLInStore
CertDuplicateCertificateContext
CryptHashCertificate
CertDeleteCertificateFromStore
CertControlStore
CertVerifySubjectCertificateContext
CryptBinaryToStringW
CertCreateCertificateContext
CertFreeCertificateContext
CertNameToStrW
CertGetEnhancedKeyUsage
CryptDecodeObjectEx
CryptVerifyCertificateSignature
CryptMsgCalculateEncodedLength
CryptVerifyMessageSignature
CryptVerifyTimeStampSignature
CryptMemFree
CryptUnprotectMemory
CryptProtectMemory
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CertSaveStore
CryptEncryptMessage
CertGetNameStringW
CryptMsgClose
CryptImportPublicKeyInfo
CertGetIssuerCertificateFromStore
CertFreeCRLContext
CertCreateCRLContext
CertGetSubjectCertificateFromStore
CryptQueryObject
CryptMsgControl
CryptMsgGetParam
CryptMsgUpdate
CertGetIntendedKeyUsage
CertStrToNameW
CryptMsgOpenToEncode
CryptHashPublicKeyInfo
PFXImportCertStore
CertEnumCertificateContextProperties
CryptHashCertificate2
CertGetPublicKeyLength
CryptVerifyCertificateSignatureEx
CryptFormatObject
CryptRegisterOIDInfo
CryptEnumOIDInfo
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertDuplicateStore
PFXExportCertStoreEx
CryptEncodeObjectEx
CryptDecryptMessage
CertAddEncodedCertificateToStore
CryptSignMessage
CertAddCertificateLinkToStore
CertComparePublicKeyInfo
CryptMsgGetAndVerifySigner
CertFindAttribute
CryptSignCertificate
CryptExportPublicKeyInfo
CryptMsgOpenToDecode
CertFindExtension

api-ms-win-core-synch-l1-2-0

AcquireSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
InitializeSRWLock
InitOnceExecuteOnce
SetEvent
ReleaseSRWLockShared
Sleep
AcquireSRWLockShared
CreateEventExW
ReleaseSRWLockExclusive
InitializeCriticalSection
DeleteCriticalSection
CreateEventW
WaitForSingleObject

api-ms-win-core-errorhandling-l1-1-1

SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-libraryloader-l1-2-0

LockResource
SizeofResource
GetModuleHandleExW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
LoadResource
FindResourceExW
LoadStringW
DisableThreadLibraryCalls
GetProcAddress
GetModuleFileNameW

api-ms-win-core-registry-l1-1-0

RegDeleteKeyExW
RegQueryInfoKeyW
RegDeleteValueW
RegEnumValueW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegOpenCurrentUser
RegCloseKey
RegEnumKeyExW
RegCreateKeyExW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerW

api-ms-win-core-string-l1-1-0

FoldStringW
WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal
CompareStringW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetLocalTime
GetSystemDirectoryW
GetTickCount
GetVersionExW
GetSystemTime
GetComputerNameExW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-file-l1-2-1

GetFileTime
LocalFileTimeToFileTime
FindNextFileW
SetFilePointer
CreateFileW
SetEndOfFile
WriteFile
FindFirstFileW
GetTempPathW
GetTempFileNameW
GetFileType
CompareFileTime
GetFullPathNameW
DeleteFileW
FindClose
GetFileSize
CreateDirectoryW
FileTimeToLocalFileTime

api-ms-win-core-localization-l1-2-1

GetACP
GetLocaleInfoW
IdnToAscii
IdnToUnicode
FormatMessageW

api-ms-win-core-processenvironment-l1-2-0

GetStdHandle
GetEnvironmentVariableW
SearchPathW
GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processthreads-l1-1-2

GetCurrentThreadId
TerminateProcess
OpenProcess
CreateThread
GetCurrentProcessId
GetProcessId
GetCurrentProcess
OpenProcessToken

api-ms-win-security-base-l1-2-0

SetSecurityDescriptorControl
RevertToSelf
CreateWellKnownSid
EqualSid
GetTokenInformation
CopySid
GetLengthSid
FreeSid
AllocateAndInitializeSid
IsValidSecurityDescriptor
GetSecurityDescriptorLength
ImpersonateLoggedOnUser

rpcrt4

CStdStubBuffer_Connect
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrStubCall3
IUnknown_AddRef_Proxy
NdrDllGetClassObject
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcEpResolveBinding
RpcBindingSetAuthInfoExW
NdrStubForwardingFunction
NdrOleAllocate
RpcBindingFree
RpcStringFreeW
CStdStubBuffer_CountRefs
IUnknown_Release_Proxy
RpcExceptionFilter
NdrClientCall3
CStdStubBuffer_DebugServerQueryInterface
UuidCreate
CStdStubBuffer_QueryInterface

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-datetime-l1-1-1

GetTimeFormatA
GetDateFormatW
GetTimeFormatW
GetDateFormatA

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-kernel32-legacy-l1-1-1

FindResourceW
LoadLibraryW

api-ms-win-core-heap-obsolete-l1-1-0

LocalReAlloc
LocalAlloc
LocalFree

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW
lstrlenW

api-ms-win-core-localization-obsolete-l1-2-0

LCIDToLocaleName
GetSystemDefaultUILanguage
GetUserDefaultUILanguage

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

certca

ord823
ord820
ord454
ord438
ord468
ord456
ord458
ord462
ord449
ord436
ord435
ord440
ord479
ord819
ord486
ord405
ord404
ord487
ord801
ord813
ord485
ord445
ord869
ord809
ord708
ord601
ord602
ord707
ord824
ord838
ord420
ord414
ord413
ord843
ord416
ord844
ord430
ord703
ord442
ord434
ord444
ord450
ord845
ord847
ord412
ord808
ord453
ord452
ord706
ord839
ord841
ord840
ord704
ord705
ord802
ord842
ord446
ord467
ord460
ord457
ord455
ord846

combase

ord15
ord19
ord34
ord21
ord8
ord20
ord2
ord9
ord5
ord12
ord10
ord32
ord17
ord6
ord14
ord22
ord7
ord16
ord11
ord33
ord13
ord18

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
CallbackMayRunLong
TrySubmitThreadpoolCallback

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

api-ms-win-shell-shellfolders-l1-1-0

SHGetFolderPathW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 359B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

23aae1597f39e1894562ce7c57e65c33

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

crypt32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

rpcrt4

api-ms-win-core-heap-l1-2-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

certca

combase

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-shell-shellfolders-l1-1-0

Exports

Exports

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.orpc Size: 512B - Virtual size: 359B

.data Size: 28KB - Virtual size: 31KB

.pdata Size: 78KB - Virtual size: 78KB

.idata Size: 17KB - Virtual size: 16KB

.didat Size: 2KB - Virtual size: 2KB

.rsrc Size: 201KB - Virtual size: 201KB

.reloc Size: 34KB - Virtual size: 34KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.orpc
Size: 512B - Virtual size: 359B

.data
Size: 28KB - Virtual size: 31KB

.pdata
Size: 78KB - Virtual size: 78KB

.idata
Size: 17KB - Virtual size: 16KB

.didat
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 201KB - Virtual size: 201KB

.reloc
Size: 34KB - Virtual size: 34KB