GPOAdminCustom[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

GPOAdminCustom.dll
Size

908KB
MD5

9a5f67e4e417623b1d0e294ba456ce00
SHA1

f215fef63f076c29c2af6e31b9af9d1eaae5d8ff
SHA256

3ed81ba4e2ec7405a71de4b21288c7246430ff044e58d1a5c5e615a2dcc5d8ba
SHA512

ba9aadd027478f4ce39266a4444013806623fd823e28d4952f463f3efa7c8f5d12b79f74b7c891201f340d58eaeea0b56f7583ffa33b933b9ae4431fac78ee84
SSDEEP

12288:jazI8t0okvnM71A2J3nfjHRd8vw7W6yY0/8EmxGqkf/gxsQ:juI8t01/k1zJ3fjY2W6k/309cgCQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GPOAdminCustom.dll

Files

GPOAdminCustom.dll
.dll regsvr32 windows:10 windows x86 arch:x86

40aa41587952329500e57891402adbf4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

GPOAdminCustom.pdb

Imports

msvcrt

_ftol2_sse
floor
??3@YAXPAX@Z
_ftol2
memcmp
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
_wtol
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_callnewh
memmove
memcpy
_CxxThrowException
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_ltow
_wtoi
iswdigit
vswprintf_s
wcscat_s
wcscpy_s
_vsnwprintf
_wcsnicmp
wcschr
wcsstr
_wcslwr_s
calloc
wcsncpy_s
_purecall
swprintf_s
memcpy_s
malloc
free
??_V@YAXPAX@Z
__CxxFrameHandler3
??1type_info@@UAE@XZ
memset

gpoadmincommon

CompareWMIFilters
GetTrusteeDisplayName
?DisplayGPMCError@@YGXPAG@Z
GetDisplayNameFromLDAPPath
GPMCMessageBox
?UpdateListSort@@YG_NPAUtagNMLISTVIEW@@AAV?$CListViewCtrlT@VCWindow@ATL@@@WTL@@AAHAA_N@Z
AddColumnsToListFromPreferences
GetDateTimeDisplay
GetAccountName
?DisplayGPMCError@@YAXJZZ
?DebugGPMCError@@YAXPAGZZ
FormatBSTRMessage
GetErrorDescription
FormatGPMCError
AddColumnsToList
ResetColumnsFromPreferences
?UpdateListSort@@YG_NPAUtagNMLISTVIEW@@PAVCSortContext@@@Z
SortCompareEx
CreateGPMCDataObject
SelectAllInList

oleaut32

SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector
LoadTypeLi
VarBstrCmp
SysFreeString
VariantClear
VarFormatDateTime
OleCreateFontIndirect
VariantChangeType
SafeArrayCreate
SafeArrayPutElement
OleTranslateColor
VarUI4FromStr
RegisterTypeLi
UnRegisterTypeLi
SafeArrayGetElement
OleCreatePropertyFrame
VarBstrCat
SystemTimeToVariantTime
SafeArrayGetUBound
LoadRegTypeLi
SysAllocStringLen
SafeArrayGetLBound
SysAllocString
SysStringByteLen
SysAllocStringByteLen
SysStringLen
VariantInit

rpcrt4

NdrDllCanUnloadNow
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
CStdStubBuffer_Disconnect
NdrDllGetClassObject
NdrDllRegisterProxy
CStdStubBuffer_DebugServerRelease
NdrOleAllocate
CStdStubBuffer_Connect
CStdStubBuffer_CountRefs
NdrDllUnregisterProxy
IUnknown_Release_Proxy
CStdStubBuffer_AddRef
NdrOleFree
NdrCStdStubBuffer2_Release
CStdStubBuffer_DebugServerQueryInterface
IUnknown_AddRef_Proxy
NdrStubForwardingFunction
CStdStubBuffer_QueryInterface
CStdStubBuffer_Invoke
NdrCStdStubBuffer_Release

api-ms-win-core-com-midlproxystub-l1-1-0

CStdStubBuffer2_QueryInterface
ObjectStublessClient5
NdrProxyForwardingFunction4
CStdStubBuffer2_CountRefs
CStdStubBuffer2_Disconnect
ObjectStublessClient3
ObjectStublessClient4
CStdStubBuffer2_Connect
NdrProxyForwardingFunction5
NdrProxyForwardingFunction3
ObjectStublessClient6
NdrProxyForwardingFunction6

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExA
GetModuleFileNameW
FreeLibrary
LoadStringW
DisableThreadLibraryCalls
LoadLibraryExW
FindResourceExW
SizeofResource
GetProcAddress
GetModuleHandleW
GetModuleHandleA
LockResource
LoadResource

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalReAlloc
LocalFree
GlobalAlloc
GlobalFree

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoTaskMemAlloc
CoInitializeEx
CoUninitialize
CLSIDFromProgID
CoTaskMemRealloc
StringFromGUID2
CoTaskMemFree
CreateStreamOnHGlobal
CLSIDFromString
CoGetClassObject

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
ReleaseSemaphore
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

api-ms-win-core-processthreads-l1-1-0

CreateThread
GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
LoadLibraryA
FindResourceW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
OutputDebugStringA

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegDeleteValueW
RegQueryValueExW
RegEnumKeyExW
RegSetValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-localization-l1-2-0

GetUserDefaultLCID
FormatMessageW

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringEx
MultiByteToWideChar

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorLength
FreeSid
AllocateAndInitializeSid
EqualSid

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processthreads-l1-1-1

FlushInstructionCache
IsProcessorFeaturePresent

api-ms-win-core-interlocked-l1-1-0

InterlockedPopEntrySList
InterlockedPushEntrySList

api-ms-win-core-synch-l1-2-0

Sleep
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

advapi32

OpenEventLogW
ReadEventLogW
CloseEventLog
RegConnectRegistryW

gdi32

GetDeviceCaps
GetObjectW
GetStockObject
DeleteDC
BitBlt
DeleteObject
SelectObject
CreateCompatibleBitmap
ExtTextOutW
CreateCompatibleDC
CreateSolidBrush
RestoreDC
SetViewportOrgEx
SetWindowOrgEx
SetMapMode
SaveDC
LPtoDP
CreateDCW
Rectangle
SetTextColor
SetBkMode
GetTextExtentPointW
GetTextMetricsW
CreateFontIndirectW
SetBkColor
DeleteMetaFile
CloseMetaFile
SetWindowExtEx
CreateMetaFileW
CreateRectRgnIndirect
SetROP2
GetClipBox

kernel32

lstrlenW
lstrcmpW
MulDiv
GlobalUnlock
GlobalLock
GlobalHandle
lstrcmpiW
lstrlenA

ntdll

RtlSecondsSince1970ToTime

ntdsapi

DsCrackNamesW
DsFreeNameResultW
DsBindW
DsUnBindW

ole32

OleLoadFromStream
OleSaveToStream
WriteClassStm
OleRegEnumVerbs
OleRegGetUserType
CreateOleAdviseHolder
OleRegGetMiscStatus
OleSetClipboard
OleInitialize
OleLockRunning
OleUninitialize
ReleaseStgMedium
HWND_UserMarshal
HWND_UserSize
HWND_UserFree
HWND_UserUnmarshal
DoDragDrop
CreateDataAdviseHolder

shell32

ShellExecuteW
ord16
ord18
ord17
ord155
SHGetDesktopFolder

user32

IsWindow
LoadCursorW
GetSubMenu
TrackPopupMenu
LoadMenuW
RegisterClassExW
SendMessageW
DefWindowProcW
GetWindowLongW
DestroyAcceleratorTable
GetDesktopWindow
ReleaseDC
RedrawWindow
DialogBoxParamW
EndDialog
MessageBoxW
ShowWindow
EnableWindow
SetWindowTextW
GetDlgItem
GetActiveWindow
GetDC
CallWindowProcW
InvalidateRgn
RegisterClipboardFormatW
UpdateWindow
InvalidateRect
PostMessageW
GetKeyState
DestroyMenu
GetClientRect
SetWindowLongW
MessageBoxExW
GetDlgCtrlID
InflateRect
IsWindowVisible
DialogBoxIndirectParamW
FillRect
DrawFocusRect
GetMenu
AdjustWindowRectEx
KillTimer
ReleaseCapture
SetCapture
MoveWindow
SetTimer
SetParent
UnregisterClassA
FindWindowExW
GetWindowThreadProcessId
ScreenToClient
GetParent
ClientToScreen
CreateAcceleratorTableW
DestroyWindow
CreateWindowExW
GetClassInfoExW
SetWindowPos
GetSysColor
GetClassNameW
GetWindow
SetFocus
GetFocus
IsChild
EndPaint
BeginPaint
GetWindowTextW
GetWindowTextLengthW
RegisterWindowMessageW
MonitorFromPoint
GetMonitorInfoW
SetCursor
GetCursor
MapWindowPoints
IsMenu
GetWindowRect
GetSystemMetrics
IsWindowEnabled
CheckMenuItem
SetWindowContextHelpId
DrawTextW
GetDialogBaseUnits
EnumChildWindows
SystemParametersInfoW
MapDialogRect
CreateDialogIndirectParamW
SendDlgItemMessageW
GetScrollPos
IntersectRect
EqualRect
SetWindowRgn
OffsetRect
UnionRect
PtInRect
GetNextDlgTabItem
CopyAcceleratorTableW
IsDialogMessageW
AllowSetForegroundWindow
CheckMenuRadioItem
CopyRect
DestroyIcon
LoadImageW
SetDlgItemTextW
RealGetWindowClassW
CallNextHookEx
UnhookWindowsHookEx
CreateDialogParamW
SetWindowsHookExW
GetCapture
DrawEdge
GetSysColorBrush
EnableMenuItem

uxtheme

EnableThemeDialogTexture

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 535KB - Virtual size: 535KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 311KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

40aa41587952329500e57891402adbf4

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

gpoadmincommon

oleaut32

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-debug-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

advapi32

gdi32

kernel32

ntdll

ntdsapi

ole32

shell32

user32

uxtheme

Exports

Exports

Sections

.text Size: 535KB - Virtual size: 535KB

.data Size: 4KB - Virtual size: 6KB

.idata Size: 13KB - Virtual size: 12KB

.rsrc Size: 311KB - Virtual size: 310KB

.reloc Size: 43KB - Virtual size: 42KB

.text
Size: 535KB - Virtual size: 535KB

.data
Size: 4KB - Virtual size: 6KB

.idata
Size: 13KB - Virtual size: 12KB

.rsrc
Size: 311KB - Virtual size: 310KB

.reloc
Size: 43KB - Virtual size: 42KB