## Summary

The submitted sample #AID=35# (`1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a`) is a 64-bit Windows PE DLL, 251,904 bytes. It presents itself via version metadata as a Microsoft “Active Directory Certificate Services Sample Policy Module” / `CertPSam.dll`, but Malcat reports an `UnsignedMicrosoft` anomaly: Microsoft-like version information is present, but no certificate was found.

High-level characteristics for #AID=35#:

- Type: PE DLL, x64.
- Exports include:
  - `DllCanUnloadNow`
  - `DllGetClassObject`
  - `DllRegisterServer`
  - `DllUnregisterServer`
  - Suspicious non-standard export: `npmserver_options_manifest`
- Compiler indicators: MSVC / Visual Studio 2019 YARA informational matches.
- Kesakode verdict: `PNGPlugLoader`, confidence `0/100`; this is not considered meaningful by itself.
- No carved files were found.
- Virtual resources were present but not the main source of suspicious behavior.

The main malicious behavior appears to be a downloader/loader chain: #AID=35# resolves WinINet APIs by hash, downloads content from a URL, decrypts or transforms it using AES-like routines, validates it as a PE image, manually maps it into memory, resolves imports/relocations, calls initialization/entrypoint logic, and then sleeps indefinitely if loading succeeds.

## Key detections/IOCs

### IOCs

- Sample SHA-256: `1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a` #AID=35#
- Embedded URL in #AID=35#:
  - `http://www.royalsevres.com/javascript/activex_patch.hwp`

### Key detections

Evidence supporting a malicious verdict for #AID=35#:

1. **Microsoft masquerading**
   - Version metadata claims Microsoft / Windows DDK origin:
     - `CompanyName`: `Windows (R) Win 7 DDK provider`
     - `FileDescription`: `Microsoft® Active Directory Certificate Services Sample Policy Module`
     - `OriginalFilename`: `CertPSam`
     - Export module name: `CertPSam.dll`
   - Malcat anomaly: `UnsignedMicrosoft`, indicating Microsoft-like metadata without an embedded signature.

2. **API resolution by hash**
   - Malcat found `ImportByHash` anomalies in #AID=35#.
   - Constants identify hashes for:
     - `LoadLibraryA`
     - `InternetOpenA`
     - `InternetOpenUrlA`
     - `InternetReadFile`
     - `InternetCloseHandle`
   - Function `sub_180008440` #AID=35# walks the PEB loader list and hashes module/export names to resolve APIs dynamically.

3. **Network downloader behavior**
   - Function `sub_1800086f0` #AID=35# resolves the above WinINet APIs dynamically, allocates a buffer, opens a URL, reads data in a loop with a 0xFFE-byte buffer, and appends the result to an in-memory string/buffer.
   - The sample contains the URL `http://www.royalsevres.com/javascript/activex_patch.hwp` #AID=35#.

4. **Encrypted/obfuscated payload handling**
   - AES/Rijndael constants were detected in #AID=35#.
   - Function `sub_180008950` #AID=35# uses block operations and XOR chaining behavior consistent with decrypting/transformation of downloaded data.
   - Malcat anomalies include `XorInLoop`, `StackArrayInitialisationX64`, and high-scoring dynamic binary strings.

5. **Reflective/manual PE loader**
   - Function `sub_18000be10` #AID=35# validates an in-memory buffer as an x64 PE image:
     - checks `MZ`
     - checks `PE`
     - checks AMD64 machine value
   - It uses `VirtualAlloc`, maps PE headers/sections, processes relocations/imports, handles TLS callbacks, and calls the loaded image’s entrypoint or initialization routine.
   - This behavior is strongly associated with in-memory payload loading.

6. **Persistence/registration camouflage**
   - The DLL exposes normal COM DLL registration exports such as `DllRegisterServer` and certificate-policy-related strings, likely to appear like a legitimate Certificate Services policy module.

## Evidence

### Generic file information

Root file #AID=35#:

- PE x64 DLL.
- Size: 251,904 bytes.
- Entropy: moderate overall.
- Sections include typical PE sections such as `.text`, `.rdata`, `.data`, `.pdata`, `.rsrc`, `.reloc`, plus an unusual `_RDATA` section.
- YARA matches only compiler/info rules:
  - `MSVC_2019_linker`
  - `msvs2019_v16_11_21_rich`

### Strings and metadata of interest

Important strings in #AID=35# include:

- `http://www.royalsevres.com/javascript/activex_patch.hwp`
- `WININET.dll`
- `InternetCanonicalizeUrlW`
- `WINHTTP.dll`
- Certificate Services / COM-looking strings:
  - `CertAuthority_Sample.Policy.1`
  - `CertAuthority_Sample.PolicyManage`
  - `Sample/Test Policy Module`
  - `EnableRequestExtensionList`
  - `DisableExtensionList`
  - `EKUOIDsforVolatileRequests`
  - various certificate OIDs

These legitimate-looking certificate service strings are mixed with downloader/loader behavior, suggesting masquerading or modification of a benign-looking policy module.

### Function-level evidence

#### API hashing routine: `sub_180008440` #AID=35#

This function reads the PEB via the GS segment, walks loaded modules, iterates export names, hashes them, and returns matching function addresses. This matches Malcat’s `ImportByHash` anomaly and supports dynamic resolution of suspicious APIs.

Resolved hash constants include WinINet functions:

- `InternetOpenA`
- `InternetOpenUrlA`
- `InternetReadFile`
- `InternetCloseHandle`

#### Downloader routine: `sub_1800086f0` #AID=35#

This function:

- Resolves APIs through `sub_180008440`.
- Dynamically prepares library/API strings.
- Allocates a 0x1000-byte buffer with `LocalAlloc`.
- Calls dynamically resolved network APIs.
- Reads downloaded content in a loop using the resolved read function.
- Appends downloaded bytes into an output buffer.
- Frees handles and local memory.

This is consistent with downloading a second-stage payload.

#### Suspicious export: `npmserver_options_manifest` #AID=35#

This exported function calls:

1. `sub_1800086f0` to obtain data.
2. `sub_180008950` to transform/decrypt the data.
3. `sub_18000be10` to load the result as a PE image.
4. `Sleep(0xffffffff)` if loading succeeds.

This is a clear downloader/decryptor/loader sequence.

#### Decryption/transform routine: `sub_180008950` #AID=35#

This function uses a 16-byte block loop and XOR chaining. Combined with Malcat’s AES/Rijndael constants, this appears to decrypt or transform the downloaded payload before loading.

#### Manual PE loader: `sub_18000be10` #AID=35#

This function implements a PE loader:

- Checks DOS and PE signatures.
- Requires AMD64 PE format.
- Allocates executable image memory with `VirtualAlloc`.
- Copies headers and sections.
- Applies relocations.
- Resolves imports using `LoadLibraryA` and `GetProcAddress`.
- Calls TLS callbacks if present.
- Calls the loaded image entrypoint/initializer.

This is strong evidence of malicious loader behavior.

### Sub-files

Pertinent virtual files/resources:

- `MANIF/2/en-us` #AID=36#
  - Small manifest-like resource, 381 bytes.
  - No malicious behavior identified from this resource itself.

- `TYPELIB/1/en-us` #AID=37#
  - Type library-like resource, 3,356 bytes.
  - Consistent with COM/certificate-policy module appearance.
  - No standalone malicious behavior identified.

- `STR/1/en-us` #AID=38#
  - Small string resource, 132 bytes.
  - No standalone malicious behavior identified.

No carved embedded files were detected from #AID=35#.

## Verdict

Final verdict: **Malicious** #AID=35#

Confidence: **95/100**

Rationale: The sample #AID=35# combines Microsoft/certificate-module masquerading with dynamic API hashing, WinINet downloader logic, AES-like decryption, and a full in-memory PE loader. The suspicious export `npmserver_options_manifest` orchestrates this sequence and sleeps indefinitely after successfully loading the payload. These behaviors are not consistent with a benign Microsoft Certificate Services sample policy module.

Counterarguments / limitations:

- Kesakode’s family label has `0/100` confidence and is not relied upon.
- Some certificate-service and COM-registration code appears legitimate or copied from a real sample module.
- The downloaded second-stage payload was not available in the submitted file, so its final behavior could not be analyzed.
- The embedded URL string had no direct static xref reported, likely because related strings are dynamically constructed/decoded.

Despite these limitations, the downloader/decryptor/manual-loader chain in #AID=35# is sufficient for a high-confidence malicious classification.