gpapi[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

gpapi.dll
Size

109KB
MD5

5799b39865c264eb3cc77d58b3a2ecb1
SHA1

820f4fde7bf121d6f8a3a903af2daf2d3ac756a2
SHA256

915c899e4b334295eb1d416adf7445af83b8fad1552a01278e0163521e011cec
SHA512

3bc146af543db63ebfc70653faa66d314da69640a63e1f308a1d98e3393e663eed85a1a2e75d9222aca77d4bf335200e647d8a3702c3a2ba24baae7c115af947
SSDEEP

3072:Q1+DypQTxPuEZBUPA18V99LHam3dedL6JkzsVetuXehhln:0SmEbc9V99LHam3A56JkoVeUOfln

Score

1^/10

Malware Config

Signatures

Files

gpapi.dll
.dll windows:10 windows x86 arch:x86

869e5041db28c7da86c67dff669b01dd

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a5:4c:0f:7c:29:6b:f8:8f:98:bc:08:d6:a5:41:16:3e:12:f0:57:76:04:cf:3e:53:3d:a8:f9:a9:8d:d0:9b:f1
Signer

Actual PE Digest

a5:4c:0f:7c:29:6b:f8:8f:98:bc:08:d6:a5:41:16:3e:12:f0:57:76:04:cf:3e:53:3d:a8:f9:a9:8d:d0:9b:f1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

gpapi.pdb

Imports

msvcrt

??1type_info@@UAE@XZ
_except_handler4_common
_onexit
_callnewh
??0exception@@QAE@ABV0@@Z
_CxxThrowException
_initterm
free
memcpy
_lock
memmove
_purecall
??0exception@@QAE@ABQBD@Z
malloc
__CxxFrameHandler3
_XcptFilter
??0exception@@QAE@ABQBDH@Z
??1exception@@UAE@XZ
_unlock
__dllonexit
?what@exception@@UBEPBDXZ
??3@YAXPAX@Z
_amsg_exit
_vsnwprintf
memset

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-0

OpenThreadToken
OpenProcessToken
GetCurrentProcess
GetCurrentThread
GetCurrentProcessId
SetThreadToken
GetCurrentThreadId
TerminateProcess

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegOpenCurrentUser
RegOpenKeyExW
RegSetValueExW
RegNotifyChangeKeyValue

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetModuleHandleExW
FreeLibrary
GetProcAddress

api-ms-win-core-synch-l1-1-0

SetEvent
WaitForSingleObject
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateEventW
InitializeCriticalSectionEx
LeaveCriticalSection

rpcrt4

RpcStringBindingComposeW
NdrAsyncClientCall2
NdrClientCall4
RpcBindingFromStringBindingW
RpcAsyncCancelCall
RpcAsyncInitializeHandle
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
RpcAsyncCompleteCall

api-ms-win-security-base-l1-1-0

EqualSid
ImpersonateLoggedOnUser
CheckTokenMembership
CreateWellKnownSid
DuplicateToken
AllocateAndInitializeSid
FreeSid
GetTokenInformation

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime
GetLocalTime
GetTickCount

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
SetEnvironmentVariableW

api-ms-win-core-file-l1-1-0

CreateDirectoryW
GetFileAttributesExW
CreateFileW
WriteFile
SetFilePointer

api-ms-win-core-debug-l1-1-0

OutputDebugStringW

api-ms-win-core-sysinfo-l1-2-0

GetOsSafeBootMode

api-ms-win-security-grouppolicy-l1-1-0

GetGPOListInternalA
GenerateGPNotificationInternal
GetNextFgPolicyRefreshInfoInternal
GetAppliedGPOListInternalA
FreeGPOListInternalW
FreeGPOListInternalA
ForceSyncFgPolicyInternal
EnterCriticalPolicySectionInternal
WaitForUserPolicyForegroundProcessingInternal
WaitForMachinePolicyForegroundProcessingInternal
UnregisterGPNotificationInternal
RsopLoggingEnabledInternal
RegisterGPNotificationInternal
RefreshPolicyExInternal
GetGPOListInternalW
RefreshPolicyInternal
LeaveCriticalPolicySectionInternal
IsSyncForegroundPolicyRefresh
GetAppliedGPOListInternalW
GetPreviousFgPolicyRefreshInfoInternal

ntdll

RtlFreeUnicodeString
RtlInitUnicodeString
RtlConvertSidToUnicodeString
NtQueryInformationToken
RtlCopySid
RtlLengthSid
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlNtStatusToDosError
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

Exports

Exports

AreThereVisibleLogoffScriptsInternal
AreThereVisibleLogoffScriptsInternalWorker
AreThereVisibleShutdownScriptsInternal
AreThereVisibleShutdownScriptsInternalWorker
EnterCriticalPolicySectionExStub
EnterCriticalPolicySectionInternal
EnterCriticalPolicySectionInternalWorker
ForceSyncFgPolicyInternal
ForceSyncFgPolicyInternalWorker
FreeGPOListInternalA
FreeGPOListInternalAWorker
FreeGPOListInternalW
FreeGPOListInternalWWorker
GenerateGPNotificationInternal
GenerateGPNotificationInternalWorker
GetAppliedGPOListInternalA
GetAppliedGPOListInternalAWorker
GetAppliedGPOListInternalW
GetAppliedGPOListInternalWWorker
GetGPOListInternalA
GetGPOListInternalAWorker
GetGPOListInternalW
GetGPOListInternalWWorker
GetNextFgPolicyRefreshInfoInternal
GetNextFgPolicyRefreshInfoInternalWorker
GetPreviousFgPolicyRefreshInfoInternal
GetPreviousFgPolicyRefreshInfoInternalWorker
HasPolicyForegroundProcessingCompletedInternal
HasPolicyForegroundProcessingCompletedInternalWorker
IsSyncForegroundPolicyRefreshWorker
LeaveCriticalPolicySectionInternal
LeaveCriticalPolicySectionInternalWorker
RefreshPolicyExInternal
RefreshPolicyExInternalWorker
RefreshPolicyInternal
RefreshPolicyInternalWorker
RegisterGPNotificationInternal
RegisterGPNotificationInternalWorker
RsopLoggingEnabledInternal
RsopLoggingEnabledInternalWorker
UnregisterGPNotificationInternal
UnregisterGPNotificationInternalWorker
WaitForMachinePolicyForegroundProcessingInternal
WaitForMachinePolicyForegroundProcessingInternalWorker
WaitForUserPolicyForegroundProcessingInternal
WaitForUserPolicyForegroundProcessingInternalWorker

Sections

.text
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

869e5041db28c7da86c67dff669b01dd

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a5:4c:0f:7c:29:6b:f8:8f:98:bc:08:d6:a5:41:16:3e:12:f0:57:76:04:cf:3e:53:3d:a8:f9:a9:8d:d0:9b:f1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-heap-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

rpcrt4

api-ms-win-security-base-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-security-grouppolicy-l1-1-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-heap-l1-1-0

Exports

Exports

Sections

.text Size: 82KB - Virtual size: 82KB

.data Size: 3KB - Virtual size: 5KB

.idata Size: 5KB - Virtual size: 5KB

.didat Size: 512B - Virtual size: 8B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 4KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a5:4c:0f:7c:29:6b:f8:8f:98:bc:08:d6:a5:41:16:3e:12:f0:57:76:04:cf:3e:53:3d:a8:f9:a9:8d:d0:9b:f1
Signer

.text
Size: 82KB - Virtual size: 82KB

.data
Size: 3KB - Virtual size: 5KB

.idata
Size: 5KB - Virtual size: 5KB

.didat
Size: 512B - Virtual size: 8B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 4KB