DeviceEnroller[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

DeviceEnroller.exe
Size

491KB
MD5

8ea01080321978dfe9cc50448346d4d2
SHA1

65eabca0c3fdfdabe3ad4aee65c048df1662401a
SHA256

1c39b60491752034fde7689ca2972ca9a2259d844fa71b275d1cffac7ae2a7a0
SHA512

0e968c5ef6ff063a4a9a1695410682be99f4fcf30b83107996f8832f3481b75e2cadc77e90bfdcbd18ef04fa255318fe36127f280a38797ef835107c6488680f
SSDEEP

6144:UyIW92gT0Jtxh6P9t/61KwBN5bZ8uISoxNRJhQZXWztcKPcIqf:p92gaEt/61KwBDZTyRdpB

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DeviceEnroller.exe

Files

DeviceEnroller.exe
.exe windows:10 windows x64 arch:x64

295965ddfea3bb77c621bca7b22306de

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

deviceenroller.pdb

Imports

msvcp110_win

?_Xbad_alloc@std@@YAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
?_BADOFF@std@@3_JB
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@J@Z
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?endl@std@@YAAEAV?$basic_ostream@GU?$char_traits@G@std@@@1@AEAV21@@Z

msvcrt

memmove
memcpy
__set_app_type
exit
_exit
_cexit
_ismbblead
__setusermatherr
_initterm
memcmp
_CxxThrowException
memset
??3@YAXPEAX@Z
__CxxFrameHandler3
??_V@YAXPEAX@Z
_vsnwprintf
memcpy_s
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
__C_specific_handler
_wcsicmp
srand
rand
_vsnwprintf_s
wcstod
strncpy_s
_set_errno
strtol
strchr
strrchr
sprintf_s
_wtoi
swprintf_s
_wcsnicmp
wcsncmp
wcsstr
free
memmove_s
malloc
_acmdln
wcsncpy_s
_callnewh
_XcptFilter
_amsg_exit
_fmode
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_commode
__getmainargs

dmenrollengine

GetEnrollmentAuthPolicy
GetEnrollmentClientCertThumbprint
MmpcDiscoverEndpoint
GetEnrollmentAadResourceUrl
ord1
GetEnrollmentType
ord7
GetEnrollmentCertStore
SetMmpcEnrollmentFlag
ord10
GetIsRecoveryAllowed
GetEnrollmentEntDmId
GetEnrollmentPartnerOpaqueID
GetEnrollmentState
EnrollEngineInitialize
SetEnrollState
ord3
GetEnrollmentTenantID
GetEnrollmentSID

dmcmnutils

IsPhoneOS
DmRaiseToastNotificationAndWait
DmDisableTask
DmRaiseToastNotification
DmGetAadDeviceToken
InvStrCmpIW
OmaDmRegistryGetString
DmGetAadUserToken
HexStringToBinary
BigStrcat
OmaDmRegistrySetBinary
OmaDmRegistrySetString
OmDmRegistryAllocAndGetString
OmaDmRegistrySetDWORD
OmaDmRegistryGetAllSubKeys
SafeWideCharToMultiByte
DmRemoveToastNotification
UnicodeToMB
MBToUnicode
DmRevertToSelf
DmImpersonate
OmaDmRegistryDeleteValue
OmaDmRegistryGetDWORD
DmRemoveToastNotificationByExecutablePath
DmDeleteTask
DmGetCurrentUserSid
DmGetActiveUserSid
CopyString
DmGetUserPermission

omadmapi

ord103
ord105
ord114
ord104
ord54
ord23
ord64
ord37
ord18
ord47
ord22
ord52
ord34
ord102
ord101
ord56

ntdll

RtlGetDeviceFamilyInfoEnum
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlIsMultiUsersInSessionSku
RtlIsStateSeparationEnabled
RtlNtStatusToDosErrorNoTeb
NtDeleteWnfStateName
NtCreateWnfStateName
RtlNtStatusToDosError

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

combase

ord69
ord154

umpdc

PdcActivationClientUnregister
PdcActivationClientRegister
PdcActivationClientActivityRequest

xmllite

CreateXmlReaderInputWithEncodingName
CreateXmlReader

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

dmenterprisediagnostics

RecordDiagnosticsError

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetModuleFileNameA
LoadStringW
SizeofResource
GetModuleFileNameW
GetModuleHandleExW
LoadLibraryExW
GetModuleHandleW
LoadResource
GetProcAddress
FindResourceExW
LockResource

api-ms-win-core-synch-l1-1-0

CreateEventExW
ReleaseSemaphore
InitializeCriticalSectionEx
WaitForSingleObject
ResetEvent
CreateSemaphoreExW
CreateEventW
AcquireSRWLockShared
WaitForMultipleObjectsEx
InitializeCriticalSection
LeaveCriticalSection
ReleaseMutex
ReleaseSRWLockExclusive
OpenEventW
DeleteCriticalSection
ReleaseSRWLockShared
AcquireSRWLockExclusive
EnterCriticalSection
SetEvent
WaitForSingleObjectEx
CreateMutexExW
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
RaiseException

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentThreadId
OpenProcessToken
OpenThreadToken
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
GetCurrentThread

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoInitialize
RoActivateInstance
RoUninitialize

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

oleaut32

VarUI4FromStr
VariantClear
SysFreeString
SafeArrayCreate
VariantTimeToSystemTime
SafeArrayLock
SysAllocString
SysStringByteLen
SysAllocStringByteLen
SafeArrayGetLBound
SafeArrayUnlock
VariantInit
VariantChangeTypeEx
SafeArrayGetUBound
SysAllocStringLen
SafeArrayDestroy

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventActivityIdControl
EventRegister
EventSetInformation

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
WakeAllConditionVariable
Sleep
InitOnceComplete
SleepConditionVariableSRW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupPrivilegeValueW
LookupAccountSidW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteTreeW
RegGetValueW
RegOpenCurrentUser
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

samcli

NetUserGetInfo
NetLocalGroupAddMembers
NetLocalGroupGetMembers

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-url-l1-1-0

UrlUnescapeW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenA

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
CopySid
RevertToSelf
AdjustTokenPrivileges
GetLengthSid
GetTokenInformation

netutils

NetApiBufferFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetTickCount64
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime
CompareFileTime

sspicli

GetUserNameExW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

crypt32

CertCloseStore
CertOpenStore
CertFindCertificateInStore
CertFreeCertificateContext

declaredconfiguration

DMOrchestratorRefresh
DMOrchestratorRefreshPerEnrollment

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 324KB - Virtual size: 324KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 126KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

295965ddfea3bb77c621bca7b22306de

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp110_win

msvcrt

dmenrollengine

dmcmnutils

omadmapi

ntdll

api-ms-win-core-apiquery-l1-1-0

combase

umpdc

xmllite

api-ms-win-shcore-stream-l1-1-0

dmenterprisediagnostics

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

samcli

api-ms-win-core-string-l2-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

netutils

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-file-l1-1-0

sspicli

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-registry-l2-1-0

crypt32

declaredconfiguration

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 324KB - Virtual size: 324KB

.rdata Size: 126KB - Virtual size: 126KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 13KB - Virtual size: 12KB

.didat Size: 512B - Virtual size: 472B

.rsrc Size: 20KB - Virtual size: 19KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 324KB - Virtual size: 324KB

.rdata
Size: 126KB - Virtual size: 126KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 13KB - Virtual size: 12KB

.didat
Size: 512B - Virtual size: 472B

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 1KB - Virtual size: 1KB