fereproperty.blogg.se

1. #Rundll32 exe runtime error .exe#
2. #Rundll32 exe runtime error .dll#
3. #Rundll32 exe runtime error full#
4. #Rundll32 exe runtime error software#
5. #Rundll32 exe runtime error code#

We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. The DLL loads the PlugX config and injects it into a process. The DLL is valid but contains a small hook towards the payload which, in our case, is the. When the executable is run, the DLL next to it is loaded. We also observed other valid executables being used, ranging from AV vendors to video software.

#Rundll32 exe runtime error .exe#

exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). One of the PlugX samples consisted of the following three parts: Filename Both domains were registered during the time of the campaign. The samples discovered and analyzed were communicating towards two domains. The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets.

#Rundll32 exe runtime error .dll#

PlugX makes use of the technique “DLL Sideloading”. TimeDateStamp: 08:23:47 – Date and time the image was created PlugXĪnother major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. Inspecting the File (COFF) header, we observed the file’s compilation timestamp: We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code.

#Rundll32 exe runtime error code#

The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.Įxample of RottenPotato on elevating these rights: We will highlight a few in each category.īesides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations. The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network.

Examples of the tools discovered are PSexec, Procdump, and Mimikatz.

#Rundll32 exe runtime error software#

On the webserver, software was installed to maintain the presence and storage of tools that would be used to gather information about the victim’s network and lateral movement/execution of files. Technical Analysis Initial Infection Vectors įorensic investigations identified that the actor established initial access by compromising the victim’s web server. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used in this attack.

#Rundll32 exe runtime error full#

MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. McAfee customers are protected from the malware/tools described in this blog. IOCs that could be shared are at the end of this document. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.

There will be parts that are censored since we respect the confidentiality of the victim. In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs. Executive Summaryįollowing a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.įrom a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.