īriba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.
īlue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe. īLINDINGCAN has used Rundll32 to load a malicious DLL. īisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll, Qszdez". īad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat. Īttor's installer plugin can schedule rundll32.exe to load the dispatcher. ĪPT41 has used rundll32.exe to execute a loader.
#Signed the office script code#
ĪPT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.
ĪPT32 malware has used rundll32.exe to execute an initial infection process. ĪPT29 has used Rundll32.exe to execute payloads. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.
#Signed the office script .dll#
dll for a first stage dropper using rundll32.exe. ĪPT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". ĪPT19 configured its payload to inject into the rundll32.exe. ĪDVSTORESHELL has used rundll32.exe in a Registry value to establish persistence. Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.
#Signed the office script windows#
As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Īdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names.
This can be done using a syntax similar to this: rundll32.exe javascript:".\mshtml,RunHTMLApplication " document.write() GetObject("script:https//This behavior has been seen used by malware such as Poweliks. Rundll32 can also be used to execute scripts such as JavaScript. cpl file also causes rundll32.exe to execute. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe ). Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Using rundll32.exe, vice executing directly (i.e. Adversaries may abuse rundll32.exe to proxy execution of malicious code.