certcli[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

certcli.dll
Size

435KB
MD5

23987aee5746362b1e9af0992936bc08
SHA1

1cc8ad5637e5f9e7fb3cd671a09dca90d6434643
SHA256

5ea42172f8dad53838692b6c25facc692c51632066dbe79fc240bd26d1956b68
SHA512

d33ff54bbf3917e96b4022b14c9b43c344ef9a83b01c72d5e8e2d2c6f95593f97586fd7e7cc18715b4190002b44d8301d1b4da9e6c4e91f064258f633b0212ce
SSDEEP

6144:/onneC3MWoJNL2IYk7J0kUEv76KNYAPMofBw80wE:wboLYk7J0kIKNLx5P

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certcli.dll

Files

certcli.dll
.dll regsvr32 windows:6 windows x64 arch:x64

61cc831d0c439d461979e687a74deae1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

certcli.pdb

Imports

certca

ord839
ord819
ord823
ord602
ord444
ord450
ord445
ord435
ord813
ord705
ord818
ord817
ord707
ord601
ord838
ord824
ord840
ord412
ord405
ord841
ord842
ord404
ord414
ord413
ord411

msvcrt

memcpy
memcmp
_CxxThrowException
free
wcsncpy_s
malloc
memcpy_s
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
__C_specific_handler
memset
wcsncmp
towupper
iswlower
towlower
iswupper
strcmp
wcscspn
iswxdigit
iswalpha
swscanf
isxdigit
__isascii
_vsnprintf
wcsrchr
atoi
strchr
isdigit
_wcsicmp
iswspace
iswdigit
_wcsnicmp
_strnicmp
bsearch
wcscmp
_purecall
wcschr
_vsnwprintf
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
memmove
wcsstr
_wtoi

ntdll

EtwTraceMessage
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

advapi32

GetTokenInformation
FreeSid
OpenProcessToken
AllocateAndInitializeSid
CryptSetProvParam
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptDecrypt
CryptEncrypt
CryptGetProvParam
CryptExportKey
CryptReleaseContext
CryptDestroyHash
RevertToSelf
RegQueryValueExW
RegDeleteValueW
RegQueryInfoKeyW
RegCreateKeyExW
RegSetValueExW
DeregisterEventSource
ReportEventW
RegisterEventSourceW
CryptSetKeyParam
CryptSetHashParam
CryptDuplicateKey
CryptContextAddRef
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
CreateWellKnownSid
LookupAccountSidW
ImpersonateLoggedOnUser
RegEnumValueW
RegConnectRegistryW
CryptDestroyKey
CryptGetUserKey
CryptSignHashW
CryptVerifySignatureW
QueryServiceConfigW
ControlService
WaitServiceState
ChangeServiceConfigW
StartServiceW
OpenServiceW
OpenSCManagerW
CloseServiceHandle
CryptGetKeyParam
EqualSid

crypt32

CertStrToNameW
CertOpenStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertCloseStore
CertGetCertificateChain
CertFreeCertificateChain
CertCreateCertificateContext
CertFindCertificateInStore
CertSetStoreProperty
CryptAcquireCertificatePrivateKey
CryptFindOIDInfo
CertGetCertificateContextProperty
CertFindExtension
CryptHashCertificate
CryptHashPublicKeyInfo
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertEnumCertificatesInStore
CertAddCertificateLinkToStore
CryptImportPublicKeyInfoEx2
CryptSignMessage
CryptDecodeObject
CertGetNameStringW
CertNameToStrW
CryptStringToBinaryW
CryptEncodeObjectEx
CryptDecodeObjectEx
CryptMsgOpenToDecode
CryptMsgUpdate
CryptMsgGetParam
CryptMsgClose
CryptExportPublicKeyInfo
CryptImportPublicKeyInfo
CertComparePublicKeyInfo

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
LCIDToLocaleName
SearchPathW
GetSystemDefaultUILanguage
GetLocaleInfoW
GetUserDefaultUILanguage
ExpandEnvironmentStringsW
GetDateFormatA
GetTimeFormatA
SetEndOfFile
Sleep
SetFilePointer
WriteFile
GetCommandLineW
WideCharToMultiByte
GetLocalTime
OpenProcess
OutputDebugStringA
GetSystemDirectoryW
CompareStringW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetVersionExW
FoldStringW
FormatMessageW
lstrcmpW
GetComputerNameExW
GetComputerNameW
GetTimeFormatW
GetDateFormatW
IdnToUnicode
SetLastError
DelayLoadFailureHook
ResolveDelayLoadedAPI
LocalFileTimeToFileTime
SystemTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
CompareFileTime
UnregisterWait
RegisterWaitForSingleObject
CreateEventW
GetCurrentThread
GetCurrentProcess
DuplicateHandle
GetTickCount
HeapAlloc
HeapFree
GetProcessHeap
GetACP
CloseHandle
ReadFile
GetFileSize
CreateFileW
LocalReAlloc
LocalAlloc
LocalFree
DisableThreadLibraryCalls
InitializeCriticalSection
FindResourceExW
LoadResource
SizeofResource
MultiByteToWideChar
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetLastError
GetProcAddress
LoadLibraryExW
GetModuleHandleW
GetModuleFileNameW
DeleteCriticalSection
FreeLibrary
lstrcmpiW

rpcrt4

RpcMgmtInqServerPrincNameW
RpcBindingSetAuthInfoW
RpcStringFreeW
RpcNetworkIsProtseqValidW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcEpResolveBinding
RpcBindingFree
RpcCancelThreadEx
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree
NdrOleAllocate
CStdStubBuffer_CountRefs
IUnknown_Release_Proxy
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_QueryInterface
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Invoke
CStdStubBuffer_Connect
RpcBindingSetAuthInfoExW
RpcExceptionFilter
NdrClientCall3

wldap32

ord18
ord12
ord167
ord147
ord127
ord41
ord224
ord140
ord26
ord16
ord13
ord210

Exports

Exports

AddOrRemoveOCSPISAPIExtension
CAAccessCheck
CAAccessCheckEx
CAAddCACertificateType
CAAddCACertificateTypeEx
CACertTypeAccessCheck
CACertTypeAccessCheckEx
CACertTypeAuthzAccessCheck
CACertTypeGetSecurity
CACertTypeQuery
CACertTypeRegisterQuery
CACertTypeSetSecurity
CACertTypeUnregisterQuery
CACloneCertType
CACloseCA
CACloseCertType
CACountCAs
CACountCertTypes
CACreateAutoEnrollmentObjectEx
CACreateCertType
CACreateLocalAutoEnrollmentObject
CACreateNewCA
CADCSetCertTypePropertyEx
CADeleteCA
CADeleteCAEx
CADeleteCertType
CADeleteCertTypeEx
CADeleteLocalAutoEnrollmentObject
CAEnumCertTypes
CAEnumCertTypesEx
CAEnumCertTypesForCA
CAEnumCertTypesForCAEx
CAEnumFirstCA
CAEnumNextCA
CAEnumNextCertType
CAFindByCertType
CAFindByIssuerDN
CAFindByName
CAFindCertTypeByName
CAFreeCAProperty
CAFreeCertTypeExtensions
CAFreeCertTypeProperty
CAGetAccessRights
CAGetCACertificate
CAGetCAExpiration
CAGetCAFlags
CAGetCAProperty
CAGetCASecurity
CAGetCertTypeAccessRights
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAGetCertTypeExtensionsEx
CAGetCertTypeFlags
CAGetCertTypeFlagsEx
CAGetCertTypeKeySpec
CAGetCertTypeProperty
CAGetCertTypePropertyEx
CAGetConfigStringFromUIPicker
CAGetDN
CAInstallDefaultCertType
CAInstallDefaultCertTypeEx
CAIsCertTypeCurrent
CAIsCertTypeCurrentEx
CAIsCertTypeValid
CAIsValid
CAOIDAdd
CAOIDAddEx
CAOIDCreateNew
CAOIDCreateNewEx
CAOIDDelete
CAOIDDeleteEx
CAOIDFreeLdapURL
CAOIDFreeProperty
CAOIDGetLdapURL
CAOIDGetProperty
CAOIDGetPropertyEx
CAOIDSetProperty
CAOIDSetPropertyEx
CARemoveCACertificateType
CARemoveCACertificateTypeEx
CASetCACertificate
CASetCAExpiration
CASetCAFlags
CASetCAProperty
CASetCASecurity
CASetCertTypeExpiration
CASetCertTypeExtension
CASetCertTypeFlags
CASetCertTypeFlagsEx
CASetCertTypeKeySpec
CASetCertTypeProperty
CASetCertTypePropertyEx
CAUpdateCA
CAUpdateCAEx
CAUpdateCertType
CAUpdateCertTypeEx
CSPrintAssert
CSPrintError
CSPrintErrorLineFile
CSPrintErrorLineFile2
CSPrintErrorLineFileData
CSPrintErrorLineFileData2
CertcliGetDetailedCertcliVersionString
DbgIsSSActive
DbgLogStringInit
DbgLogStringInit2
DbgPrintf
DbgPrintfInit
DbgPrintfW
DecodeFileW
DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
EnableASPInIIS
EnableISAPIExtension
EncodeToFileW
IsASPEnabledInIIS
IsASPEnabledInIIS_New
IsISAPIExtensionEnabled
RemoveISAPIExtension
RemoveVDir
SplitConfigString
WszToMultiByteInteger
WszToMultiByteIntegerBuf
caTranslateFileTimePeriodToPeriodUnits
myAddShare
myCAPropGetDisplayName
myCAPropInfoLookup
myCAPropInfoUnmarshal
myCryptBinaryToString
myCryptBinaryToStringA
myCryptStringToBinary
myCryptStringToBinaryA
myDoesDSExist@209
myEnablePrivilege
myFreeColumnDisplayNames
myGenerateGuidSerialNumber
myGenerateGuidString
myGetErrorMessageText
myGetErrorMessageText1
myGetErrorMessageTextEx
myGetHashAlgorithmOIDInfoFromSignatureAlgorithm
myGetSidFromDomain
myGetTargetMachineDomainDnsName
myHExceptionCode
myHExceptionCodePrint
myHGetLastError
myHResultToString
myHResultToStringRaw
myIsDelayLoadHResult
myJetHResult
myLogExceptionInit
myModifyVirtualRootsAndFileShares
myNetLogonUser
myOIDHashOIDToString
myRevertSanitizeName
myRobustLdapBind
myRobustLdapBindEx
mySanitizeName
mySanitizedNameToDSName
mySanitizedNameToShortName
mylstrcmpiL

Sections

.text
Size: 387KB - Virtual size: 386KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 1024B - Virtual size: 529B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

61cc831d0c439d461979e687a74deae1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

certca

msvcrt

ntdll

advapi32

crypt32

kernel32

rpcrt4

wldap32

Exports

Exports

Sections

.text Size: 387KB - Virtual size: 386KB

.orpc Size: 1024B - Virtual size: 529B

.data Size: 5KB - Virtual size: 7KB

.pdata Size: 10KB - Virtual size: 9KB

.idata Size: 10KB - Virtual size: 9KB

.didat Size: 1024B - Virtual size: 800B

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 387KB - Virtual size: 386KB

.orpc
Size: 1024B - Virtual size: 529B

.data
Size: 5KB - Virtual size: 7KB

.pdata
Size: 10KB - Virtual size: 9KB

.idata
Size: 10KB - Virtual size: 9KB

.didat
Size: 1024B - Virtual size: 800B

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 8KB - Virtual size: 8KB