CertEnroll[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CertEnroll.dll
Size

2.0MB
MD5

3fba81d4ad2fb0437033b8f106a53856
SHA1

6360ed0b45aa40a504999ab5ba43e2e0a513562a
SHA256

68632bd17927969cedb1f9cecff66714fa35a5b093ea7950e3303465fe450859
SHA512

7fd07ccd1e566f9e110b6777cfb74f4768188e2d50ce5dcc0be1efd6a08ed6986247cae5ff5ffb914204c0ace3ec7ce3d56f65c79b7bc2db93e8e04cc0be3d3c
SSDEEP

49152:rgpBRaCOORu4sdShDAwUvsm9o96ZiaPddktaCwaLtmE3C:M82sdShDAwUvsm9o96Zievk

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:6 windows x86 arch:x86

0f2833d90e717b513a903d5595cdb267

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

_wgetenv
strchr
getenv
isdigit
atoi
strncmp
fputws
fflush
ferror
_wfopen_s
fwprintf
fclose
strcspn
iswlower
fprintf
towlower
fopen
_errno
ftell
iswupper
fwrite
_vsnprintf
__iob_func
vfwprintf
memmove
wcsrchr
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
calloc
qsort
wcsstr
srand
wcschr
_stricmp
_lock
wcscspn
iswxdigit
towupper
memset
iswspace
iswalpha
_CxxThrowException
__CxxFrameHandler3
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
??1type_info@@UAE@XZ
fseek
_strnicmp
bsearch
rand
_itow
_wtoi
iswdigit
?what@exception@@UBEPBDXZ
_wcsicmp
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
_unlock
__dllonexit
??0exception@@QAE@ABQBD@Z
_onexit
free
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
realloc
_except_handler4_common
memcmp
??0exception@@QAE@XZ
_ftol2_sse
_CIpow
wcsncmp
memmove_s
memcpy_s
_wcsnicmp
_vsnwprintf
memcpy

ntdll

RtlEqualSid
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
RtlAllocateHeap
RtlFreeHeap
RtlAllocateAndInitializeSid
NtQueryInformationToken
RtlFreeSid
RtlCheckTokenCapability
WinSqmSetString
WinSqmIncrementDWORD
EtwTraceMessage
RtlInitUnicodeString
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister
NtQueryInformationProcess

crypt32

CryptFindOIDInfo
CryptVerifyCertificateSignature
CryptDecodeObjectEx
CryptMsgOpenToDecode
CertGetEnhancedKeyUsage
CertNameToStrW
CryptBinaryToStringW
CertVerifySubjectCertificateContext
CertControlStore
CertGetCRLContextProperty
CryptStringToBinaryW
CertSaveStore
CryptExportPublicKeyInfo
CertDeleteCertificateFromStore
CryptHashCertificate
CertDuplicateCertificateContext
CertFindCTLInStore
CertRegisterPhysicalStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptMsgCalculateEncodedLength
CryptVerifyMessageSignature
CryptVerifyTimeStampSignature
CryptMemFree
CryptUnprotectMemory
CryptProtectMemory
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CryptEncryptMessage
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetCertificateChain
CertGetNameStringW
CryptMsgClose
CryptProtectData
CertSetCertificateContextProperty
CryptSignCertificate
CryptDecodeObject
CertOpenStore
CertFindCertificateInStore
CertGetCertificateContextProperty
CertCloseStore
CertFindExtension
CryptSignMessage
CryptDecryptMessage
CertGetIssuerCertificateFromStore
CryptFormatObject
PFXImportCertStore
CertStrToNameW
CertGetIntendedKeyUsage
CryptAcquireCertificatePrivateKey
CertFindAttribute
CryptMsgGetAndVerifySigner
CertComparePublicKeyInfo
CertAddCertificateLinkToStore
CertAddEncodedCertificateToStore
PFXExportCertStoreEx
CertDuplicateStore
CryptEnumOIDInfo
CryptRegisterOIDInfo
CryptVerifyCertificateSignatureEx
CertGetPublicKeyLength
CryptHashCertificate2
CertEnumCertificateContextProperties
CryptHashPublicKeyInfo
CertFreeCRLContext
CertCreateCRLContext
CertGetSubjectCertificateFromStore
CryptMsgOpenToEncode
CertCreateCertificateContext
CertFreeCertificateContext
CryptMsgUpdate
CryptImportPublicKeyInfo
CryptEncodeObjectEx
CryptQueryObject
CryptMsgGetParam
CryptMsgControl

api-ms-win-core-synch-l1-2-0

Sleep
SetEvent
WaitForSingleObject
InitOnceExecuteOnce
InitializeSRWLock
CreateEventExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateEventW
InitializeCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
SetLastError
GetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
SizeofResource
GetModuleFileNameW
LoadResource
LockResource
FindResourceExW
LoadStringW
GetModuleHandleW
GetModuleHandleExW
GetProcAddress
FreeLibrary
DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumValueW
RegQueryValueExW
RegOpenCurrentUser
RegDeleteValueW
RegDeleteKeyExW

api-ms-win-core-string-l2-1-0

CharLowerW
CharNextW

api-ms-win-core-string-l1-1-0

FoldStringW
MultiByteToWideChar
CompareStringOrdinal
WideCharToMultiByte
CompareStringW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetComputerNameExW
GetSystemTime
GetTickCount
GetVersionExW
GetLocalTime

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-file-l1-2-1

LocalFileTimeToFileTime
FindClose
CreateFileW
WriteFile
GetFileType
FindNextFileW
DeleteFileW
FindFirstFileW
FileTimeToLocalFileTime
CompareFileTime
SetEndOfFile
SetFilePointer
GetFullPathNameW
GetFileTime
GetTempFileNameW
GetTempPathW
CreateDirectoryW
GetFileSize

api-ms-win-core-localization-l1-2-1

IdnToUnicode
FormatMessageW
IdnToAscii
GetLocaleInfoW
GetACP

api-ms-win-core-processenvironment-l1-2-0

GetEnvironmentVariableW
GetCommandLineW
ExpandEnvironmentStringsW
GetStdHandle
SearchPathW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-processthreads-l1-1-2

OpenProcess
OpenProcessToken
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
CreateThread
TerminateProcess
GetProcessId

api-ms-win-security-base-l1-2-0

CreateWellKnownSid
GetTokenInformation
EqualSid
SetSecurityDescriptorControl
RevertToSelf
IsValidSecurityDescriptor
GetSecurityDescriptorLength
CopySid
GetLengthSid
AllocateAndInitializeSid
ImpersonateLoggedOnUser
FreeSid

rpcrt4

IUnknown_Release_Proxy
UuidCreate
RpcStringBindingComposeW
RpcEpResolveBinding
RpcBindingSetAuthInfoExW
RpcBindingFree
RpcStringFreeW
CStdStubBuffer_Connect
CStdStubBuffer_Invoke
RpcExceptionFilter
NdrClientCall2
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
IUnknown_AddRef_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_DebugServerQueryInterface
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
RpcBindingFromStringBindingW
NdrStubCall2
NdrDllGetClassObject
CStdStubBuffer_CountRefs
NdrOleAllocate
NdrStubForwardingFunction
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-datetime-l1-1-1

GetTimeFormatA
GetDateFormatW
GetDateFormatA
GetTimeFormatW

api-ms-win-core-memory-l1-1-2

UnmapViewOfFile
CreateFileMappingW
MapViewOfFile

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-kernel32-legacy-l1-1-1

FindResourceW
LoadLibraryW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrlenW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-2-0

GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LCIDToLocaleName

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

certca

ord445
ord823
ord820
ord454
ord438
ord468
ord456
ord458
ord462
ord449
ord436
ord435
ord440
ord479
ord819
ord813
ord708
ord486
ord809
ord847
ord706
ord487
ord485
ord412
ord869
ord601
ord602
ord707
ord824
ord838
ord420
ord414
ord413
ord843
ord416
ord844
ord430
ord703
ord442
ord434
ord404
ord801
ord808
ord444
ord450
ord405
ord839
ord841
ord840
ord704
ord705
ord802
ord842
ord446
ord467
ord460
ord457
ord455
ord846
ord452
ord453
ord845

combase

ord13
ord18
ord15
ord19
ord34
ord21
ord8
ord20
ord2
ord9
ord5
ord12
ord10
ord32
ord17
ord6
ord14
ord22
ord7
ord16
ord11
ord33

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
CallbackMayRunLong
TrySubmitThreadpoolCallback

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-shell-shellfolders-l1-1-0

SHGetFolderPathW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace

Sections

.text
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 462B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

minATL
Size: 512B - Virtual size: 68B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0f2833d90e717b513a903d5595cdb267

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

crypt32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

rpcrt4

api-ms-win-core-heap-l1-2-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

certca

combase

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-shell-shellfolders-l1-1-0

Exports

Exports

Sections

.text Size: 1.7MB - Virtual size: 1.7MB

.orpc Size: 512B - Virtual size: 462B

.data Size: 16KB - Virtual size: 19KB

.idata Size: 13KB - Virtual size: 12KB

minATL Size: 512B - Virtual size: 68B

.rsrc Size: 201KB - Virtual size: 201KB

.reloc Size: 104KB - Virtual size: 103KB

.text
Size: 1.7MB - Virtual size: 1.7MB

.orpc
Size: 512B - Virtual size: 462B

.data
Size: 16KB - Virtual size: 19KB

.idata
Size: 13KB - Virtual size: 12KB

minATL
Size: 512B - Virtual size: 68B

.rsrc
Size: 201KB - Virtual size: 201KB

.reloc
Size: 104KB - Virtual size: 103KB