advpack.dll

  • File Path: C:\Windows\SysWOW64\advpack.dll
  • Description: ADVPACK

Hashes

Type Hash
MD5 1C6D088367A777EB13A8E459C5E5CF3A
SHA1 BD37948386A21D34DB1F324AE6516B903B28572E
SHA256 A8BD79D517CE20C88626EF5DF4E216C46A4A7770223A7F6F11D926AFAAEE606F
SHA384 5AD8DBD6F05D08187164ADEAD3E196BE805CC21380724130060A85DC57AF32D59593F70CF21F8307E5B975D2C5579267
SHA512 AF64ACCF64014DD5EC484D4744310E6717217F999EC7356A8DC78CCA822E7238AFDC010B6164842B73EB592F21870F67381F19C26F096648457FB96942495242
SSDEEP 3072:yKcCdrEZyY755X5YTC81getxQsfifprF9:niyS5JYN1getxQsfif
IMP 9B8A301A1AEBCA3289FF213FDCDBC165
PESHA1 A7B09E2EC38F370D99DB3AB2A8ED4CEB835CF501
PE256 6BC919B55A732032DF84454DD6D3FAB73F5F5799C9201E4F0BECA962E3B6C637

DLL Exports:

Function Name Ordinal Type
RegisterOCXW 12 Exported Function
RegRestoreAll 58 Exported Function
RegisterOCX 11 Exported Function
RegInstallA 56 Exported Function
RegInstallW 57 Exported Function
RegSaveRestoreA 62 Exported Function
RegSaveRestoreOnINF 63 Exported Function
RegSaveRestore 61 Exported Function
RegRestoreAllA 59 Exported Function
RegRestoreAllW 60 Exported Function
RegInstall 55 Exported Function
NeedRebootInit 48 Exported Function
OpenINFEngine 49 Exported Function
NeedReboot 47 Exported Function
LaunchINFSectionExW 45 Exported Function
LaunchINFSectionW 46 Exported Function
RebootCheckOnInstallA 53 Exported Function
RebootCheckOnInstallW 54 Exported Function
RebootCheckOnInstall 52 Exported Function
OpenINFEngineA 50 Exported Function
OpenINFEngineW 51 Exported Function
TranslateInfStringW 78 Exported Function
UserInstStubWrapper 79 Exported Function
TranslateInfStringExW 77 Exported Function
TranslateInfStringEx 75 Exported Function
TranslateInfStringExA 76 Exported Function
UserUnInstStubWrapperA 83 Exported Function
UserUnInstStubWrapperW 84 Exported Function
UserUnInstStubWrapper 82 Exported Function
UserInstStubWrapperA 80 Exported Function
UserInstStubWrapperW 81 Exported Function
TranslateInfStringA 74 Exported Function
RunSetupCommand 67 Exported Function
RunSetupCommandA 68 Exported Function
RegSaveRestoreW 66 Exported Function
RegSaveRestoreOnINFA 64 Exported Function
RegSaveRestoreOnINFW 65 Exported Function
SetPerUserSecValuesW 72 Exported Function
TranslateInfString 73 Exported Function
SetPerUserSecValuesA 71 Exported Function
RunSetupCommandW 69 Exported Function
SetPerUserSecValues 70 Exported Function
DoInfInstallA 4 Exported Function
DoInfInstallW 5 Exported Function
DoInfInstall 3 Exported Function
DelNodeRunDLL32W 22 Exported Function
DelNodeW 23 Exported Function
ExtractFiles 27 Exported Function
ExtractFilesA 28 Exported Function
ExecuteCabW 26 Exported Function
ExecuteCab 24 Exported Function
ExecuteCabA 25 Exported Function
DelNodeRunDLL32A 2 Exported Function
AdvInstallFile 16 Exported Function
AdvInstallFileA 17 Exported Function
AddDelBackupEntryW 15 Exported Function
AddDelBackupEntry 13 Exported Function
AddDelBackupEntryA 14 Exported Function
DelNodeA 21 Exported Function
DelNodeRunDLL32 1 Exported Function
DelNode 20 Exported Function
AdvInstallFileW 18 Exported Function
CloseINFEngine 19 Exported Function
GetVersionFromFileExW 41 Exported Function
GetVersionFromFileW 42 Exported Function
GetVersionFromFileExA 40 Exported Function
GetVersionFromFileA 38 Exported Function
GetVersionFromFileEx 39 Exported Function
LaunchINFSectionEx 9 Exported Function
LaunchINFSectionExA 10 Exported Function
LaunchINFSectionA 8 Exported Function
IsNTAdmin 43 Exported Function
LaunchINFSection 44 Exported Function
GetVersionFromFile 37 Exported Function
FileSaveMarkNotExistW 32 Exported Function
FileSaveRestore 6 Exported Function
FileSaveMarkNotExistA 31 Exported Function
ExtractFilesW 29 Exported Function
FileSaveMarkNotExist 30 Exported Function
FileSaveRestoreOnINFW 35 Exported Function
FileSaveRestoreW 36 Exported Function
FileSaveRestoreOnINFA 34 Exported Function
FileSaveRestoreA 7 Exported Function
FileSaveRestoreOnINF 33 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ADVPACK.DLL.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/a8bd79d517ce20c88626ef5df4e216c46a4a7770223a7f6f11d926afaaee606f/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\IEAdvpack.dll 85

Possible Misuse

The following table contains possible examples of advpack.dll being misused. While advpack.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Advpack.yml Name: Advpack.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX test.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Advpack.yml - Path: c:\windows\system32\advpack.dll  
LOLBAS Advpack.yml - Path: c:\windows\syswow64\advpack.dll  
LOLBAS Advpack.yml - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf  
LOLBAS Ieadvpack.yml Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.  
atomic-red-team index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with advpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
signature-base apt_poisonivy.yar $s10 = “advpack” fullword ascii /* score: ‘7.005’ */ CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string5 = “advpack” CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.