Binary
DLL False
Size 131.00KB
trid 41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library 5.9% Win32 Executable
2.6% OS/2 Executable
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 3d63bbe2d99e86342f617c565953e588
sha1 56fdf1a9ee0c859a09abd3abe74e73d0ca8b2f6e
crc32 0xf78daf8c
sha224 864736ff18aa2c88ea82e9de0f2ee45d07b18b0a71e7ab8132f30272
sha256 d11495b9f9435b90da8aac0917519b4ae5a55bec0dfc44736379e8a7c07f48 77
sha384 021e5b91d5c1c66585e5c57fe83217d6c16a2ec7b159c5ac50a21fa2e5c001 9eb3ced1e8841dce3adc927e55fa5d9ad1
sha512 de78ca07fe7c1321494c9d7bd6090fb0de5ad152f2a2985f9bee604925774b 8eee59de65ee3388e34166898cffa1c4941ffb7a5dd43bdfd0d7b41088fd223 8a0
ssdeep 3072:EjZOz4JkxfcvpN/rTHu2UnZnr2lQyEyrVmL4vYs5VkfojjGmO1:2ixSpN3s4 Vg4vYAVkfojjE1
Report #13097
Creation Date: Aug. 20, 2021, 12:55 a.m.
Last Update: Aug. 20, 2021, 12:58 a.m.
File:
dmcertinst.exe Results:
Community
Google False
HashLib False
YARA
Matches VC8_Microsoft_Corporation, domain, contentis_base64, HasDebugData, Has RichSignature, win_mutex, Microsoft_Visual_Cpp_8, Visual_Cpp_2005_Relea se_Microsoft, IsPE32, IP, BASE64_table, IsWindowsGUI
Suspicious True
Imports
ntdll.dll RtlIsStateSeparationEnabled
RPCRT4.dll UuidCreate
msvcrt.dll memmove, memcpy, memcmp, _CxxThrowException, ??0exception@@QAE
@ABQBD@Z, ?what@exception@@UBEPBDXZ, _wcsnicmp, memmove_s, st rrchr, strchr, _initterm, __CxxFrameHandler3, strtol, _errno, _set_errno, strn cpy_s, sprintf_s, _vsnprintf, swprintf_s, wcstoul, wcstok_s, ??3@YAXPAX@Z, wcscpy_s, _purecall, _vsnwprintf, _except_handler4_common, memcpy_s, _ controlfp, ??1type_info@@UAE@XZ, ?terminate@@YAXXZ, _onexit, __dllone xit, _unlock, _lock, _wcmdln, memset, __setusermatherr, __p__fmode, _cexit , _exit, exit, __set_app_type, __wgetmainargs, _vsnprintf_s, _amsg_exit, __p_
_commode, _XcptFilter, _callnewh, free, malloc, _wcsicmp, wcsstr, wcsrchr,
??_V@YAXPAX@Z, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE
@XZ, ??0exception@@QAE@XZ
CRYPT32.dll CertGetCertificateContextProperty, CertOpenStore, CryptUnprotectData, Ce rtFreeCertificateContext, CryptBinaryToStringW, CertDeleteCertificateFromS tore, CertCloseStore, CryptEncodeObjectEx, CryptSetKeyIdentifierProperty, CertFindCertificateInStore
api-ms-win-core-com-l1-1-0.dll CoCreateInstance, CoInitializeEx, CoCreateFreeThreadedMarshaler, GetHGl obalFromStream, CoUninitialize, CoGetApartmentType, CoWaitForMultipleHa ndles, CreateStreamOnHGlobal
api-ms-win-core-winrt-l1-1-0.dll RoUninitialize, RoInitialize, RoActivateInstance
api-ms-win-core-profile-l1-1-0.dl l
QueryPerformanceCounter
api-ms-win-core-registry-l1-1-0.
dll
RegQueryInfoKeyW, RegDeleteTreeW, RegQueryValueExW, RegOpenKeyEx W, RegCreateKeyExW, RegSetValueExW, RegCloseKey, RegDeleteKeyExW api-ms-win-security-sddl-l1-1-0. ConvertSidToStringSidW
dll
Strings
List
dmcertinst.pdb CRYPT32.dll ncrypt.dll
com.microsoft:mdm.SCEPcertinstall.result
Windows.Internal.Management.Provision.SessionManager api-ms-win-security-sddl-l1-1-0.dll
api-ms-win-core-registry-l1-1-0.dll
onecoreuap\admin\enterprisemgmt\enterprisecsps\v2\ngcutils\ngcutils.cpp
onecoreuap\admin\enterprisemgmt\enterprisecsps\v2\clientcertificates\scep\sceputils.cpp onecoreuap\admin\enterprisemgmt\enrollactivities\dmcertinst\src\main.cpp
api-ms-win-core-debug-l1-1-0.dll api-ms-win-security-base-l1-1-0.dll api-ms-win-core-namedpipe-l1-1-0.dll 3ntdll.dll
omadmapi.dll DMAppsRes.dll DMCmnUtils.dll certenroll.dll kernelbase.dll dsreg.dll ntdll.dll /Install/Enroll UMPDC.dll /pkiclient.exe;
dmcertinst.exe
Microsoft.Windows.DeviceManagement.SCEP
Microsoft.Windows.EnterpriseManagement.Enrollment
SCEPInstallCertificateWithScepHelper:Failed to add attribute validity period units '%ls' to x509Attributes. Error 0x%
x
Microsoft.Windows.Wil.FeatureLogging
SCEPInstallCertificateWithScepHelper:Failed to add attribute validity period '%ls' to x509Attributes. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to set parent window '%p'. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to add crypt attribute to crypt attributes. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to put private key length '%d'. LogError 0x%x Local\SM0:%d:%d:%hs
Windows.Internal.Management.Enrollment.Enroller
SCEPInstallCertificateWithScepHelper:Failed to initialize encode on attribute validity period units '%ls'. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to add OID object for enhanced key usage '%S'. Error 0x%x
SCEPInstallCertificateWithScepHelper:TPM is detected as NOT available while current KSP setting is NOT allowed to fallback
SCEPInstallCertificateWithScepHelper:Failed to CoCreateInstance ICryptAttribute. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to initialize encode on attribute validity period '%ls'. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to get crypt attributes from PKCS10 request. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to add key usage '%d' extension into extensions. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to add type '%d' with name '%ls' to SAN. Error 0x%x
%hs(%u)\%hs!%p:
%hs!%p:
api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-winrt-l1-1-0.dll
api-ms-win-core-heap-obsolete-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll
SCEPInstallCertificateWithScepHelper:Failed to initialize OID object for enhanced key usage '%S'. Error 0x%x api-ms-win-core-threadpool-l1-2-0.dll
SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server '%S', CA cert thumbprin t '%S' and server certs '%S'. LogError 0x%x
SCEPInstallCertificateWithScepHelper:Failed to initialize crypt attribute from X509Attributes. Error 0x%x (caller: %p)
ext-ms-win-rtcore-ntuser-cursor-l1-1-0.dll
SCEPInstallCertificateWithScepHelper:Failed to add template name '%ls' extension into extensions. Error 0x%x api-ms-win-core-processenvironment-l1-1-0.dll
process
SCEPInstallCertificateWithScepHelper:Failed to split NDES Url list. LogError 0x%x PdcManager::PdcActivate failed to Pdcv2ActivationClientActivate %d, %d
PdcManager::PdcDeactivate failed to Pdcv2ActivationClientDeactivate %d, %d
SCEPInstallCertificateWithScepHelper:Failed to initialize OID object for name value pair '%ls'. Error 0x%x + PdcManager::PdcManager failed to Pdcv2ActivationClientRegister %d, %d
PdcManager::~PdcManager failed to Pdcv2ActivationClientUnregister %d, %d api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-apiquery-l1-1-0.dll DeleteTask
SCEPInstallCertificateWithScepHelper:Failed to log disposition. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to encode subject name '%S'. Error 0x%x api-ms-win-core-libraryloader-l1-2-0.dll
SCEPInstallCertificateWithScepHelper:Failed to set silent property. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to initialize encode of key usage '%d'. Error 0x%x api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
PdcManager::PdcActivationCallback failed to Pdcv2ActivationClientRenewActivation %d, %d api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-delayload-l1-1-0.dll
SCEPInstallCertificateWithScepHelper:Failed to initialize alternative name from email name '%ls'. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to initialize encode on template name '%S'. Error 0x%x
%hs(%d) tid(%x) %08X %ws
SCEPInstallCertificateWithScepHelper:Failed to put container prefeix name '%S'. Error 0x%x SCEPInstallCertificateWithScepHelper:Failed to Enroll. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to put provider '%S'. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to get the AAD logon key name for tenant '%S'. LogError 0x%x SCEPInstallCertificateWithScepHelper: Cannot find AAD logon key name for tenant '%S'. LogError 0x%x api-ms-win-core-file-l1-1-0.dll
Software\Microsoft\Enrollments\
SCEPInstallCertificateWithScepHelper:Failed to ui context message '%S'. Error 0x%x
SCEPInstallCertificateWithScepHelper:Failed to get private key from PKCS10 request. LogError 0x%x api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-synch-l1-1-0.dll
OSData\Software\Microsoft\Enrollments\
api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-heap-l2-1-0.dll
SCEPInstallCertificateWithScepHelper:Failed to query configured EKUs. Error 0x%x Software\Microsoft\Enrollments
api-ms-win-core-winrt-string-l1-1-0.dll api-ms-win-core-com-l1-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll ext-ms-win-ntuser-window-l1-1-0.dll
Foremost
Matches 0.exe, 131 KB
Suspicious True
Heuristics
IPs hasIPs: True
Allowed
Suspicious: 1.3.6.1, 0, Unknown hasAllowed: False
hasSuspicious: True
URLs Allowed
hasURLs: False Suspicious
hasAllowed: False hasSuspicious: False
Files Allowed: kernelbase.dll, DMAppsRes.dll, 3ntdll.dll, ncrypt.dll, ext-ms-win-se ssion-wtsapi32-l1-1-0.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms- win-core-localization-l1-2-0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-co re-winrt-string-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, ext-ms-win-ntuse r-message-l1-1-0.dll, ext-ms-win-ntuser-window-l1-1-0.dll, api-ms-win-core- handle-l1-1-0.dll, omadmapi.dll, api-ms-win-core-apiquery-l1-1-0.dll, api-ms -win-core-registry-l1-1-0.dll, api-ms-win-core-delayload-l1-1-0.dll, api-ms-wi n-core-processthreads-l1-1-0.dll, OLEAUT32.dll, CRYPT32.dll, api-ms-win-sec urity-base-l1-1-0.dll, api-ms-win-core-namedpipe-l1-1-0.dll, msvcp110_win.
dll, api-ms-win-core-delayload-l1-1-1.dll, RPCRT4.dll, DMCmnUtils.dll, UMPD C.dll, ext-ms-win-rtcore-ntuser-cursor-l1-1-0.dll, api-ms-win-core-debug-l1-1 -0.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-ms-win-core-winrt -l1-1-0.dll, api-ms-win-core-heap-l1-1-0.dll, dsreg.dll, api-ms-win-core-com-l 1-1-0.dll, dmenterprisediagnostics.dll, api-ms-win-core-heap-obsolete-l1-1-0 .dll, ext-ms-win-ntuser-synch-l1-1-0.dll, msvcrt.dll, api-ms-win-eventing-pro vider-l1-1-0.dll, api-ms-win-core-threadpool-l1-2-0.dll, api-ms-win-security-s ddl-l1-1-0.dll, api-ms-win-core-heap-l2-1-0.dll, certenroll.dll, api-ms-win-core -profile-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll, api-ms-win-core- sysinfo-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll
hasFiles: True Suspicious
hasAllowed: True hasSuspicious: False
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 22528
Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 8192
Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 158083
Suspicous: False
Sections Allowed: .text, .data, .idata, .didat, .rsrc, .reloc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 10
Suspicious: False Image
Version: False Suspicious: 10 Linker
Version: 14.20 Suspicious: False Subsystem
Version: 10.0 Suspicious: False Suspicious: False
EntryPoint Address: 105440
Suspicious: False
Anomalies Anomalies
hasAnomalies: False
Libraries Allowed: kernelbase.dll, ncrypt.dll, ext-ms-win-session-wtsapi32-l1-1-0.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2- 0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, ext-ms-win-ntuser-message-l1-1-0.dll, ext- ms-win-ntuser-window-l1-1-0.dll, api-ms-win-core-handle-l1-1-0.dll, api-ms-
win-core-apiquery-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win- core-delayload-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, oleaut3 2.dll, crypt32.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-core-name dpipe-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, rpcrt4.dll, api-ms-win- core-debug-l1-1-0.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-m s-win-core-winrt-l1-1-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core- com-l1-1-0.dll, api-ms-win-core-heap-obsolete-l1-1-0.dll, ext-ms-win-ntuser- synch-l1-1-0.dll, msvcrt.dll, api-ms-win-eventing-provider-l1-1-0.dll, api-ms- win-core-threadpool-l1-2-0.dll, api-ms-win-security-sddl-l1-1-0.dll, certenroll .dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.
dll, api-ms-win-core-sysinfo-l1-1-0.dll hasLibs: True
Suspicious: dmappsres.dll, 3ntdll.dll, omadmapi.dll, msvcp110_win.dll, dm cmnutils.dll, umpdc.dll, ext-ms-win-rtcore-ntuser-cursor-l1-1-0.dll, dsreg.dll, dmenterprisediagnostics.dll, api-ms-win-core-heap-l2-1-0.dll, api-ms-win-co re-libraryloader-l1-2-0.dll
hasAllowed: True hasSuspicious: True
Timestamp Past: False
Valid: True
Value: 2012-04-27 14:16:38 Future: False
Compilation Packed: False
Missing: False Packers
Compiled: True
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation
Obfuscation XOR: False
Fuzzing: False
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret .text: 3
pushpopmath .text: 21
.idata: 2
.reloc: 8
garbagebytes .text: 3
hookdetection .reloc: 1
software breakpoint .reloc: 2
programcontrolflowchange .text: 3
cpuinstructionsresultscomparison .rsrc: 1 .text: 1 .idata: 2
Results
BINARY
NFS 2.0 (Threshold = 0.8) confidence: 77.50%
suspicious: False
NFS 3.0 (Threshold = 0.75) confidence: 74.00%
suspicious: True
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: False
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 97.27%
suspicious: True
Random Forest (100 estimators, NFS-BRMalware) confidence: 96.00%
suspicious: False
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 49.79%
suspicious: True
LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False
