GPOAdmin[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

GPOAdmin.dll
Size

1.4MB
MD5

459422e1229efef9369e057d0fadcc90
SHA1

9c4dc12818eb9fa3a203b226bad320c426b25dce
SHA256

ab6642cb57f08b851221b7eec03409821f366575b439ec4437fa804c891af9d0
SHA512

a0a07cdd15fc685cbd0d430baab537b18aa4f74c1fb35e9dfa230243cac0fccfcc05263a9f0ab1f5e78efbcb99b5c355c7aeb2952aa7522c192e0ab200d57a0f
SSDEEP

12288:kVc8NRa7tiH2zek/uPDJ55F6UZcMWNAWgNsgg+YT6Q95aapZEQ6bvA1:kZ7a7tiH6e8uPDJz4CNyH95fZZ6Y

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GPOAdmin.dll

Files

GPOAdmin.dll
.dll .vbs regsvr32 windows:10 windows x86 arch:x86 polyglot

9a81b47a343ac6f21d4acffb65dc8cf7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

GPOAdmin.pdb

Imports

msvcrt

??3@YAXPAX@Z
_ftol2_sse
_tzset
_time64
_gmtime64
wcsftime
memcmp
realloc
_errno
_except_handler4_common
??1type_info@@UAE@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_callnewh
_wcsicmp
wcscat_s
wcscpy_s
wcsncpy_s
wcschr
wcsstr
wcsnlen
_ltow_s
swprintf_s
memmove_s
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@XZ
_vsnprintf_s
_vsnwprintf
memcpy_s
free
malloc
_purecall
??_V@YAXPAX@Z
__CxxFrameHandler3
memset

gpoadmincommon

?UpdateListSort@@YG_NPAUtagNMLISTVIEW@@PAVCSortContext@@@Z
?OutputValueToDebugLog@@YGXPAG@Z
GetErrorDescription
AddColumnsToList
?UpdateListSort@@YG_NPAUtagNMLISTVIEW@@AAV?$CListViewCtrlT@VCWindow@ATL@@@WTL@@AAHAA_N@Z
GetDisplayNameFromLDAPPath
GetDateTimeDisplay
SelectAllInList
GPMCMessageBox
CompareWMIFilters
DisplayGPMCMessage
??0CMRUComboBox@@QAE@PBG@Z
GetContainerFromLDAPPath
FormatBSTRMessage
FormatGPMCError
CreateGPMCDataObject
GetGPMCDataObject
?DebugGPMCError@@YAXPAGZZ
SortCompareEx
?GetExpandedWindowText@CMRUComboBox@@QAEJPAPAG@Z
?AddMRUItem@CMRUComboBox@@QAEJPBG@Z
?Attach@CMRUComboBox@@QAEHPAUHWND__@@@Z
?DisplayGPMCError@@YAXJZZ
GetAccountName

oleaut32

VariantInit
SysFreeString
BSTR_UserSize
VarBstrCmp
SysAllocStringByteLen
SysStringByteLen
VariantClear
BSTR_UserFree
OleCreateFontIndirect
LoadRegTypeLi
LoadTypeLi
SafeArrayAccessData
SafeArrayDestroy
SafeArrayGetUBound
SafeArrayUnaccessData
SafeArrayGetLBound
VariantChangeType
SafeArrayCreate
SafeArrayPutElement
SafeArrayGetElement
VarUI4FromStr
VarBstrCat
SysStringLen
BSTR_UserUnmarshal
VarBstrFromDate
UnRegisterTypeLi
SysAllocStringLen
RegisterTypeLi
BSTR_UserMarshal
SysAllocString

rpcrt4

CStdStubBuffer_QueryInterface
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
NdrDllRegisterProxy
NdrDllGetClassObject
CStdStubBuffer_Disconnect
RpcBindingFromStringBindingW
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
NdrDllCanUnloadNow
RpcBindingSetOption
CStdStubBuffer_Connect
NdrCStdStubBuffer_Release
RpcEpResolveBinding
RpcMgmtInqServerPrincNameW
CStdStubBuffer_CountRefs
RpcBindingSetAuthInfoExW
I_RpcExceptionFilter
RpcBindingFree
RpcStringFreeW
NdrServerCall2
NdrClientCall2
CStdStubBuffer_Invoke
NdrStubForwardingFunction
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
NdrCStdStubBuffer2_Release
RpcStringBindingComposeW
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
NdrDllUnregisterProxy

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient9
ObjectStublessClient6
ObjectStublessClient10
NdrProxyForwardingFunction3
ObjectStublessClient12
ObjectStublessClient14
ObjectStublessClient11
CStdStubBuffer2_CountRefs
NdrProxyForwardingFunction5
CStdStubBuffer2_Connect
ObjectStublessClient3
ObjectStublessClient4
ObjectStublessClient15
NdrProxyForwardingFunction6
CStdStubBuffer2_Disconnect
NdrProxyForwardingFunction4
ObjectStublessClient7
ObjectStublessClient13
ObjectStublessClient5
CStdStubBuffer2_QueryInterface
ObjectStublessClient8

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
LoadStringW
GetModuleHandleA
GetProcAddress
LoadResource
LoadLibraryExA
SizeofResource
GetModuleHandleW
FreeLibrary
LoadLibraryExW
GetModuleHandleExW
LockResource
DisableThreadLibraryCalls
FindResourceExW
GetModuleFileNameA

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryA
FindResourceW
LoadLibraryW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak
OutputDebugStringA

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-localization-l1-2-0

GetUserDefaultLCID
FormatMessageW
GetFileMUIPath

api-ms-win-core-processthreads-l1-1-0

ExitThread
SetThreadPriority
CreateProcessW
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentThread
CreateThread

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
SetEvent
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseSemaphore
CreateSemaphoreExW
CreateMutexExW
ReleaseMutex
CreateEventW
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
WaitForSingleObject
InitializeCriticalSection
OpenSemaphoreW
InitializeCriticalSectionAndSpinCount

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-registry-l1-1-0

RegOpenKeyExA
RegDeleteValueW
RegOpenKeyExW
RegSetValueExW
RegCloseKey
RegQueryInfoKeyW
RegQueryValueExW
RegEnumKeyExW
RegQueryValueExA
RegCreateKeyExW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetCommandLineW

sspicli

GetUserNameExW

api-ms-win-core-com-l1-1-0

CreateStreamOnHGlobal
CoTaskMemFree
CLSIDFromProgID
CoGetClassObject
CoInitializeEx
CoTaskMemAlloc
CoCreateInstance
CoUninitialize
CLSIDFromString
StringFromCLSID
CoSetProxyBlanket
StringFromGUID2
CoCreateGuid
CoTaskMemRealloc

api-ms-win-core-string-l2-1-0

CharNextW
CharUpperW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW

api-ms-win-core-heap-l2-1-0

GlobalFree
LocalFree
GlobalAlloc
LocalAlloc

api-ms-win-core-file-l1-1-0

CreateFileW
SetFileAttributesW
GetFileAttributesExW
WriteFile
FindNextFileW
FindFirstFileW
FindClose
RemoveDirectoryW
SetFilePointer
CreateDirectoryW
SetEndOfFile
GetFileSize
GetTempFileNameW
DeleteFileW
GetFullPathNameW
GetFileAttributesW

dnsapi

DnsNameCompare_W

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
VirtualAlloc
UnmapViewOfFile
VirtualFree
MapViewOfFile

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount
GetLocalTime
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-security-base-l1-1-0

AddAccessAllowedAce
InitializeAcl
GetAce
InitializeSecurityDescriptor
GetWindowsAccountDomainSid
AllocateAndInitializeSid
SetSecurityDescriptorDacl
FreeSid
GetLengthSid

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processthreads-l1-1-1

FlushInstructionCache
IsProcessorFeaturePresent

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InterlockedPopEntrySList

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

logoncli

DsGetDcNameW

netutils

NetApiBufferFree

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

activeds

ord9

advapi32

RegDeleteKeyW
SetNamedSecurityInfoW

gdi32

BitBlt
DeleteDC
GetStockObject
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
CreateFontIndirectW
GetTextMetricsW
CreateSolidBrush
GetObjectW
DeleteObject
GetDeviceCaps

kernel32

lstrlenA
GlobalUnlock
GlobalLock
MulDiv
lstrcmpW
lstrcmpiW
GlobalHandle
ExpandEnvironmentStringsA

ntdsapi

DsFreeNameResultW
DsBindW
DsCrackNamesW
DsUnBindW
DsGetDomainControllerInfoW
DsFreeDomainControllerInfoW

ole32

CLIPFORMAT_UserUnmarshal
STGMEDIUM_UserMarshal
STGMEDIUM_UserFree
HWND_UserUnmarshal
HWND_UserFree
STGMEDIUM_UserSize
STGMEDIUM_UserUnmarshal
HWND_UserSize
CLIPFORMAT_UserSize
CLIPFORMAT_UserMarshal
HWND_UserMarshal
CLIPFORMAT_UserFree
OleUninitialize
OleLockRunning
OleInitialize
CoInitialize
StgCreateDocfile
ReleaseStgMedium

shell32

ShellExecuteW
ShellExecuteExW
CommandLineToArgvW
SHGetDataFromIDListW
SHGetPathFromIDListW
SHGetMalloc
SHBrowseForFolderW

shlwapi

PathIsUNCW
PathStripToRootW
PathIsRelativeW

user32

IsWindowVisible
AttachThreadInput
GetWindowThreadProcessId
DestroyIcon
UnregisterClassA
FindWindowExW
EnableWindow
GetWindowLongW
LoadImageW
DialogBoxParamW
DialogBoxIndirectParamW
GetDlgItem
SetWindowTextW
RegisterClassExW
GetWindowTextW
DestroyAcceleratorTable
GetWindowTextLengthW
ReleaseDC
GetDC
InvalidateRect
InvalidateRgn
GetClientRect
GetDlgItemTextW
KillTimer
FillRect
EndDialog
SetWindowLongW
SendMessageW
SetCapture
MoveWindow
ScreenToClient
DefWindowProcW
LoadCursorW
ClientToScreen
CreateAcceleratorTableW
CreateWindowExW
GetClassInfoExW
RedrawWindow
SetWindowPos
GetSysColor
GetClassNameW
IsWindow
GetWindow
SetFocus
GetFocus
IsChild
EndPaint
BeginPaint
RegisterWindowMessageW
RegisterClipboardFormatW
CheckDlgButton
IsDlgButtonChecked
IsWindowEnabled
SetDlgItemTextW
MessageBeep
GetWindowRect
UnhookWindowsHookEx
SetWindowsHookExW
IsDialogMessageW
CallNextHookEx
GetTopWindow
WaitForInputIdle
MsgWaitForMultipleObjectsEx
PeekMessageW
SetCursor
TranslateMessage
DispatchMessageW
CreateDialogParamW
CopyRect
MapWindowPoints
ReleaseCapture
PostMessageW
GetCursor
DestroyWindow
GetActiveWindow
MessageBoxW
GetWindowPlacement
ShowWindow
SetForegroundWindow
CallWindowProcW
MessageBoxExW
GetDesktopWindow
SetParent
SetWindowContextHelpId
SetTimer
MapDialogRect
SetClassLongW
GetKeyState
GetMessageW
SystemParametersInfoW
GetParent

wininet

CommitUrlCacheEntryW
CreateUrlCacheEntryW

Exports

Exports

AddToMigrationTableMRUList
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetMigrationTableEntryType
GetSelectedBackupList
GetSelectedGPOList
LaunchObjectPicker

Sections

.text
Size: 707KB - Virtual size: 707KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 654KB - Virtual size: 653KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9a81b47a343ac6f21d4acffb65dc8cf7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

gpoadmincommon

oleaut32

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

sspicli

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l1-1-0

dnsapi

api-ms-win-core-memory-l1-1-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-file-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-security-sddl-l1-1-0

dsrole

api-ms-win-core-file-l1-2-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-profile-l1-1-0

logoncli

netutils

api-ms-win-core-synch-l1-2-1

activeds

advapi32

gdi32

kernel32

ntdsapi

ole32

shell32

shlwapi

user32

wininet

Exports

Exports

Sections

.text Size: 707KB - Virtual size: 707KB

.data Size: 7KB - Virtual size: 10KB

.idata Size: 15KB - Virtual size: 14KB

.rsrc Size: 654KB - Virtual size: 653KB

.reloc Size: 56KB - Virtual size: 55KB

.text
Size: 707KB - Virtual size: 707KB

.data
Size: 7KB - Virtual size: 10KB

.idata
Size: 15KB - Virtual size: 14KB

.rsrc
Size: 654KB - Virtual size: 653KB

.reloc
Size: 56KB - Virtual size: 55KB