advpack.dll

  • File Path: C:\Windows\system32\advpack.dll
  • Description: ADVPACK

Hashes

Type Hash
MD5 B8E59E275FC4558FD9B63E82D11DDE87
SHA1 5F0CA533C2858B8FF636E442A5F744AEC7DFB7F6
SHA256 65DE1E0484A345413A66CBF16158C8634F6DBA6F0AE15109C7D8EBE131701F89
SHA384 74433D663734810B07241DF0E1BDE81930B6164066B0DC78D66BBBA24CBB6C504E7A422C464E52355BE12D355FCCB878
SHA512 D0E7BB0FB362C8A4CC75799C268ACF75B62FD1D8762BBE523D0D59EAEB86E3D46D47234AF0F4E49C33A0422756962924F5C2C52A4A6DE72D9D71547CDBE6D057
SSDEEP 3072:nWoN5HHXKtGTJnKWPq7cASAmUMowcG8VP/5MqxQHferFr5:ntH3+GRPq7cALFMowcFZMqxQHf
IMP F4527A6EF5AFE648805E2A19F417A141
PESHA1 6AF81B3C1D43D44FAA47C2E5A2041FB6501E7CF1
PE256 87913847FFF4F3F13F129555DDE5DD915CBDEADC3DC2AAA537ED5592A61B3C8D

DLL Exports:

Function Name Ordinal Type
RegisterOCXW 12 Exported Function
RegRestoreAll 58 Exported Function
RegisterOCX 11 Exported Function
RegInstallA 56 Exported Function
RegInstallW 57 Exported Function
RegSaveRestoreA 62 Exported Function
RegSaveRestoreOnINF 63 Exported Function
RegSaveRestore 61 Exported Function
RegRestoreAllA 59 Exported Function
RegRestoreAllW 60 Exported Function
RegInstall 55 Exported Function
NeedRebootInit 48 Exported Function
OpenINFEngine 49 Exported Function
NeedReboot 47 Exported Function
LaunchINFSectionExW 45 Exported Function
LaunchINFSectionW 46 Exported Function
RebootCheckOnInstallA 53 Exported Function
RebootCheckOnInstallW 54 Exported Function
RebootCheckOnInstall 52 Exported Function
OpenINFEngineA 50 Exported Function
OpenINFEngineW 51 Exported Function
TranslateInfStringW 78 Exported Function
UserInstStubWrapper 79 Exported Function
TranslateInfStringExW 77 Exported Function
TranslateInfStringEx 75 Exported Function
TranslateInfStringExA 76 Exported Function
UserUnInstStubWrapperA 83 Exported Function
UserUnInstStubWrapperW 84 Exported Function
UserUnInstStubWrapper 82 Exported Function
UserInstStubWrapperA 80 Exported Function
UserInstStubWrapperW 81 Exported Function
TranslateInfStringA 74 Exported Function
RunSetupCommand 67 Exported Function
RunSetupCommandA 68 Exported Function
RegSaveRestoreW 66 Exported Function
RegSaveRestoreOnINFA 64 Exported Function
RegSaveRestoreOnINFW 65 Exported Function
SetPerUserSecValuesW 72 Exported Function
TranslateInfString 73 Exported Function
SetPerUserSecValuesA 71 Exported Function
RunSetupCommandW 69 Exported Function
SetPerUserSecValues 70 Exported Function
DoInfInstallA 4 Exported Function
DoInfInstallW 5 Exported Function
DoInfInstall 3 Exported Function
DelNodeRunDLL32W 22 Exported Function
DelNodeW 23 Exported Function
ExtractFiles 27 Exported Function
ExtractFilesA 28 Exported Function
ExecuteCabW 26 Exported Function
ExecuteCab 24 Exported Function
ExecuteCabA 25 Exported Function
DelNodeRunDLL32A 2 Exported Function
AdvInstallFile 16 Exported Function
AdvInstallFileA 17 Exported Function
AddDelBackupEntryW 15 Exported Function
AddDelBackupEntry 13 Exported Function
AddDelBackupEntryA 14 Exported Function
DelNodeA 21 Exported Function
DelNodeRunDLL32 1 Exported Function
DelNode 20 Exported Function
AdvInstallFileW 18 Exported Function
CloseINFEngine 19 Exported Function
GetVersionFromFileExW 41 Exported Function
GetVersionFromFileW 42 Exported Function
GetVersionFromFileExA 40 Exported Function
GetVersionFromFileA 38 Exported Function
GetVersionFromFileEx 39 Exported Function
LaunchINFSectionEx 9 Exported Function
LaunchINFSectionExA 10 Exported Function
LaunchINFSectionA 8 Exported Function
IsNTAdmin 43 Exported Function
LaunchINFSection 44 Exported Function
GetVersionFromFile 37 Exported Function
FileSaveMarkNotExistW 32 Exported Function
FileSaveRestore 6 Exported Function
FileSaveMarkNotExistA 31 Exported Function
ExtractFilesW 29 Exported Function
FileSaveMarkNotExist 30 Exported Function
FileSaveRestoreOnINFW 35 Exported Function
FileSaveRestoreW 36 Exported Function
FileSaveRestoreOnINFA 34 Exported Function
FileSaveRestoreA 7 Exported Function
FileSaveRestoreOnINF 33 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ADVPACK.DLL.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/65
  • VirusTotal Link: https://www.virustotal.com/gui/file/65de1e0484a345413a66cbf16158c8634f6dba6f0ae15109c7d8ebe131701f89/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\IEAdvpack.dll 86

Possible Misuse

The following table contains possible examples of advpack.dll being misused. While advpack.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Advpack.yml Name: Advpack.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX test.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Advpack.yml - Path: c:\windows\system32\advpack.dll  
LOLBAS Advpack.yml - Path: c:\windows\syswow64\advpack.dll  
LOLBAS Advpack.yml - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf  
LOLBAS Ieadvpack.yml Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.  
atomic-red-team index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with advpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
signature-base apt_poisonivy.yar $s10 = “advpack” fullword ascii /* score: ‘7.005’ */ CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string5 = “advpack” CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.