CertEnroll[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CertEnroll.dll
Size

2.7MB
MD5

a630c25e21f36991c23268cdeddffef9
SHA1

74c1d995050545df6dc02969d87f86a35add1094
SHA256

16f8349cfaadac04ee113cea483e34e5e0da32c217cba1846ea71536f96bc4eb
SHA512

ffd99f7ca28c51adf84af096dc08768b8bf4c970bd6c47a26623b69c618dcf9fd42ce0ce4143d296be1f325fda905102c3b5d9daab7d71a5b9c1073fc19951cd
SSDEEP

49152:aUXHRQ0WEYy1O2XaBxb2ArCA5dtNZ+M3Pyj7Gr8r2TtKPke:aigBxqATtP+M3PO7Gr8r2

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
CertEnroll.dll

Files

CertEnroll.dll
.dll regsvr32 windows:10 windows x86 arch:x86

042555615a5c8fa93114be40a43a9d0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CertEnroll.pdb

Imports

msvcrt

calloc
__isascii
ispunct
_callnewh
__CxxFrameHandler3
_CxxThrowException
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
_except_handler4_common
memcpy
memcmp
_ftol2_sse
_CIpow
__iob_func
??1type_info@@UAE@XZ
_lock
_unlock
__dllonexit
memmove
qsort
wcsstr
srand
wcschr
_stricmp
rand
_wcsnicmp
_itow
_wtoi
iswdigit
?what@exception@@UBEPBDXZ
_wcsicmp
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
??0exception@@QAE@ABQBD@Z
_vsnwprintf
free
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@XZ
memmove_s
memcpy_s
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
strcspn
fprintf
wcscspn
fflush
fclose
fopen
_wgetenv
fseek
ftell
fwrite
iswalpha
strchr
getenv
_vsnprintf
iswxdigit
iswspace
wcsncmp
isdigit
atoi
strncmp
fputws
ferror
_wfopen_s
fwprintf
vfwprintf
towlower
iswupper
iswlower
towupper
_strnicmp
bsearch
realloc
_errno
wcsrchr
_onexit
memset

certca

ord847
ord704
ord454
ord802
ord842
ord446
ord467
ord460
ord457
ord455
ord846
ord452
ord438
ord453
ord845
ord450
ord823
ord444
ord434
ord468
ord456
ord458
ord442
ord703
ord820
ord430
ord449
ord436
ord844
ord416
ord843
ord413
ord414
ord420
ord435
ord838
ord824
ord707
ord602
ord840
ord445
ord801
ord839
ord841
ord440
ord809
ord601
ord705
ord479
ord869
ord412
ord485
ord813
ord808
ord487
ord404
ord405
ord486
ord462
ord819

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
AcquireSRWLockShared
EnterCriticalSection
ReleaseMutex
WaitForSingleObjectEx
ReleaseSRWLockExclusive
ReleaseSRWLockShared
SetEvent
ReleaseSemaphore
AcquireSRWLockExclusive
DeleteCriticalSection
InitializeSRWLock
CreateEventExW
WaitForSingleObject
CreateSemaphoreExW
InitializeCriticalSection
CreateEventW
CreateMutexExW
OpenSemaphoreW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
RaiseException
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetModuleFileNameW
DisableThreadLibraryCalls
GetProcAddress
LoadResource
FindResourceExW
FreeLibrary
LoadStringW
LockResource
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
SizeofResource

api-ms-win-core-registry-l1-1-0

RegDeleteValueW
RegDeleteKeyExW
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegOpenCurrentUser
RegQueryValueExW
RegQueryInfoKeyW
RegGetValueW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-string-l2-1-0

CharLowerW
CharNextW

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
FoldStringW
MultiByteToWideChar
CompareStringW
WideCharToMultiByte
CompareStringEx

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetLocalTime
GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime
GetVersionExW
GetSystemTime

crypt32

CertGetNameStringW
CryptFindOIDInfo
CertFreeCRLContext
CertCloseStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenStore
CryptDecodeObject
CertSetCertificateContextProperty
CryptProtectData
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CryptEncodeObjectEx
CertFreeCertificateChain
CertCreateCRLContext
CryptExportPublicKeyInfoEx
CertSerializeCertificateStoreElement
PFXImportCertStore
CertGetSubjectCertificateFromStore
CryptMsgControl
CryptMsgGetParam
CryptMsgUpdate
CryptMsgOpenToEncode
CryptHashPublicKeyInfo
CertEnumCertificateContextProperties
CryptSignCertificate
CryptHashCertificate2
CertComparePublicKeyInfo
CertGetPublicKeyLength
CryptVerifyCertificateSignatureEx
CryptRegisterOIDInfo
CryptEnumOIDInfo
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertRegisterPhysicalStore
CertGetCRLContextProperty
CryptMsgOpenToDecode
CertFindCTLInStore
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertDuplicateCertificateContext
CryptHashCertificate
CertDuplicateStore
CryptAcquireCertificatePrivateKey
CryptVerifyMessageSignature
CryptMsgCalculateEncodedLength
CryptMsgDuplicate
CryptMemFree
CryptVerifyTimeStampSignature
CryptUnprotectMemory
CryptProtectMemory
PFXExportCertStoreEx
CertAddSerializedElementToStore
CertFreeCertificateChainList
CertSelectCertificateChains
CryptImportPublicKeyInfoEx2
CertAddEncodedCertificateToStore
CertAddCertificateLinkToStore
CertDeleteCertificateFromStore
CertControlStore
CryptMsgGetAndVerifySigner
CertFindAttribute
CryptQueryObject
CertGetIssuerCertificateFromStore
CryptMsgClose
CertFindExtension
CryptEncryptMessage
CertSaveStore
CryptVerifyCertificateSignature
CryptDecodeObjectEx
CertCreateCertificateContext
CryptExportPKCS8
CertGetEnhancedKeyUsage
CertNameToStrW
CryptBinaryToStringW
CertVerifySubjectCertificateContext
CryptImportPublicKeyInfo
CertGetIntendedKeyUsage
CertStrToNameW
PFXIsPFXBlob
CryptDecryptMessage
CryptSignMessage
CryptFormatObject
CryptStringToBinaryW

api-ms-win-core-file-l1-1-0

LocalFileTimeToFileTime
FindClose
FindNextFileW
DeleteFileW
FindFirstFileW
GetTempFileNameW
GetFullPathNameW
GetFileTime
FileTimeToLocalFileTime
GetFileType
CompareFileTime
CreateDirectoryW
CreateFileW
GetFileSize
SetEndOfFile
SetFilePointer
WriteFile

api-ms-win-core-localization-l1-2-0

GetACP
IdnToAscii
IdnToUnicode
GetLocaleInfoW
FormatMessageW

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
GetCommandLineW
ExpandEnvironmentStringsW
SearchPathW
GetStdHandle

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
RevertToSelf
GetSecurityDescriptorLength
SetSecurityDescriptorControl
CreateWellKnownSid
IsValidSecurityDescriptor
EqualSid
GetTokenInformation
CopySid
FreeSid
GetLengthSid
DuplicateTokenEx
AllocateAndInitializeSid

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processthreads-l1-1-0

GetProcessId
CreateThread
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess
OpenProcessToken

dsparse

DsGetRdnW

rpcrt4

NdrStubForwardingFunction
CStdStubBuffer_Invoke
UuidToStringW
UuidCreate
CStdStubBuffer_DebugServerQueryInterface
UuidFromStringW
UuidIsNil
NdrCStdStubBuffer_Release
IUnknown_AddRef_Proxy
RpcStringFreeW
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrStubCall2
NdrClientCall4
RpcBindingFree
RpcEpResolveBinding
RpcStringBindingComposeW
RpcBindingFromStringBindingW
CStdStubBuffer_Connect
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
RpcBindingSetAuthInfoExW
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrOleAllocate
CStdStubBuffer_QueryInterface
NdrCStdStubBuffer2_Release
CStdStubBuffer_CountRefs
RpcExceptionFilter
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient21
ObjectStublessClient18
NdrProxyForwardingFunction3
ObjectStublessClient20
CStdStubBuffer2_Connect
ObjectStublessClient16
ObjectStublessClient22
ObjectStublessClient10
ObjectStublessClient17
ObjectStublessClient15
ObjectStublessClient23
ObjectStublessClient9
CStdStubBuffer2_Disconnect
ObjectStublessClient7
ObjectStublessClient13
ObjectStublessClient12
ObjectStublessClient8
CStdStubBuffer2_QueryInterface
ObjectStublessClient19
ObjectStublessClient6
ObjectStublessClient14
ObjectStublessClient11
NdrProxyForwardingFunction5
CStdStubBuffer2_CountRefs
NdrProxyForwardingFunction4
ObjectStublessClient3

api-ms-win-core-synch-l1-2-0

WakeAllConditionVariable
InitOnceExecuteOnce
SleepConditionVariableSRW
Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
OutputDebugStringA
IsDebuggerPresent

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-datetime-l1-1-0

GetDateFormatA
GetTimeFormatW
GetTimeFormatA
GetDateFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-psapi-l1-1-0

K32GetProcessImageFileNameW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-threadpool-l1-2-0

TrySubmitThreadpoolCallback
FreeLibraryWhenCallbackReturns
CallbackMayRunLong

api-ms-win-core-url-l1-1-0

UrlGetPartW

api-ms-win-security-activedirectoryclient-l1-1-0

DsUnBindW

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-security-logon-l1-1-0

LogonUserExW

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-localization-obsolete-l1-2-0

GetSystemDefaultUILanguage
GetUserDefaultUILanguage

ntdll

RtlCapabilityCheck
RtlCheckTokenMembershipEx
RtlCheckTokenMembership
RtlSubAuthoritySid
RtlInitializeSid
RtlGetPersistedStateLocation
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
RtlCheckTokenCapability
NtQueryInformationToken
WinSqmIncrementDWORD
WinSqmSetString
RtlInitUnicodeString
NtQuerySystemInformationEx
EtwTraceMessage
RtlNtStatusToDosError
EtwEventWriteFull
EtwEventUnregister
EtwEventRegister
RtlEqualSid

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

CreateLogonCertificateRequest
DeleteLogonCertificateRequest
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
ImportPFXToProvider
ImportPFXToProviderFreeData
InstallLogonCertificateResponse
IsLogonCertificateTemplateAvailable
LogCertArchive
LogCertCopy
LogCertDelete
LogCertExpire
LogCertExport
LogCertImport
LogCertInstall
LogCertReplace
UpdateMachinePolicyConfigurationForTemplate

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 161KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

042555615a5c8fa93114be40a43a9d0b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

certca

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

crypt32

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-0

dsparse

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-localization-l1-2-2

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-url-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-logon-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.data Size: 14KB - Virtual size: 18KB

.idata Size: 15KB - Virtual size: 14KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 223KB - Virtual size: 222KB

.reloc Size: 161KB - Virtual size: 161KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 14KB - Virtual size: 18KB

.idata
Size: 15KB - Virtual size: 14KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 223KB - Virtual size: 222KB

.reloc
Size: 161KB - Virtual size: 161KB