System Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise (original) (raw)
2015 Ukraine Electric Power Attack
During the 2015 Ukraine Electric Power Attack, Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe. [8]
ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[9]
APT19 configured its payload to inject into the rundll32.exe.[10]
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[11][9][12][13][14][15]
APT3 has a tool that can run DLLs.[16]
APT32 malware has used rundll32.exe to execute an initial infection process.[17]
APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.[18][19]
APT41 has used rundll32.exe to execute a loader.[20]
Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.[21]
Attor's installer plugin can schedule rundll32.exe to load the dispatcher.[22]
Backdoor.Oldrea can use rundll32 for execution on compromised hosts.[23]
Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[24]
Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[25]
BLINDINGCAN has used Rundll32 to load a malicious DLL.[26]
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.[27]
BoomBox can use RunDLL32 for execution.[28]
Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.[29]
Bumblebee has used rundll32 for execution of the loader component.[30][31]
During C0015, the threat actors loaded DLLs via rundll32 using the svchost process.[32]
During C0018, the threat actors used rundll32 to run Mimikatz.[33]
During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.[34]
Carbanak installs VNC server software that executes through rundll32.[35]
Cobalt Strike can use rundll32.exe to load DLL from the command line.[36][32][37]
Comnie uses Rundll32 to load a malicious DLL.[38]
CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[39]
CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[40]
The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[41]
Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary.[42]
DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.[43]
DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.[44]
Egregor has used rundll32 during execution.[45]
After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[46]
Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[47]
EnvyScout has the ability to proxy execution of malicious files with Rundll32.[28]
EVILNUM can execute commands and scripts through rundll32.[48]
FatDuke can execute via rundll32.[49]
FELIXROOT uses Rundll32 for executing the dropper program.[50][51]
FIN7 has used rundll32.exe to execute malware on a compromised network.[52]
Rundll32.exe is used as a way of executing Flame at the command-line.[53]
FlawedAmmyy has used rundll32 for execution.[54]
FunnyDream can use rundll32 for execution of its components.[55]
Gamaredon Group malware has used rundll32 to launch additional malicious components.[56]
A gh0st RAT variant has used rundll32 for execution.[57]
GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).[51]
HAFNIUM has used rundll32 to load malicious DLLs.[58]
HermeticWizard has the ability to create a new process using rundll32.[59]
Heyoka Backdoor can use rundll32.exe to gain execution.[60]
IcedID has used rundll32.exe to execute the IcedID loader.[61][62]
InvisiMole has used rundll32.exe for execution.[63]
JHUHUGIT is executed using rundll32.exe.[64][65]
Kapeka is a Windows DLL file executed via ordinal by rundll32.exe.[66][67]
Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim's network.[68][69]
Koadic can use Rundll32 to execute additional payloads.[70]
KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[71][72]
Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[73]
Latrodectus can use rundll32.exe to execute downloaded DLLs.[74][75]
Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.[76]
LazyScripter has used rundll32.exe to execute Koadic stagers.[77]
Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.[78]
Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[79]
MegaCortex has used rundll32.exe to load a DLL for file encryption.[80]
Mispadu uses RunDLL32 for execution via its injector DLL.[81]
Mongall can use rundll32.exe for execution.[60]
Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[82]
MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[83]
NativeZone has used rundll32 to execute a malicious DLL.[84]
Ninja loader components can be executed through rundll32.exe.[85]
NOKKI has used rundll32 for execution.[86]
NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[87]
During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.[88][89][90]
During Operation Spalax, the threat actors used rundll32.exe to execute malicious installers.[91]
PcShare has used rundll32.exe for execution.[55]
PolyglotDuke can be executed using rundll32.exe.[49]
PowerDuke uses rundll32.exe to load.[92]
Prikormka uses rundll32.exe to load its DLL.[93]
Pteranodon executes functions using rundll32.exe.[94]
PUNCHBUGGY can load a DLL using Rundll32.[95]
QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.[96][97][98][99][37]
Ragnar Locker has used rundll32.exe to execute components of VirtualBox.[100]
Raspberry Robin uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with Tor nodes.[101]
RedCurl has used rundll32.exe to execute malicious files.[102][103][104]
RTM runs its core DLL file using rundll32.exe.[105][106]
Sakula calls cmd.exe to run various DLL files via rundll32.[107]
Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[108]
SDBbot has used rundll32.exe to execute DLLs.[54]
ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.[109]
Sibot has executed downloaded DLLs with rundll32.exe.[110]
During the SolarWinds Compromise, APT29 used Rundll32.exe to execute payloads.[111][112]
Squirrelwaffle has been executed using rundll32.exe.[113][114]
Storm-0501 has launched Cobalt Strike Beacon files with rundll32.exe.[115]
StreamEx uses rundll32 to call an exported function.[116]
StrelaStealer DLL payloads have been executed via rundll32.exe.[117][118]
SUNBURST used Rundll32 to execute payloads.[112]
SVCReady has used rundll32.exe for execution.[119]
TA505 has leveraged rundll32.exe to execute malicious DLLs.[120][109]
TA551 has used rundll32.exe to load malicious DLLs.[121]
Troll Stealer is dropped as a DLL file and executed via rundll32.exe by its installer.[122][123]
UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.[124]
USBferry can execute rundll32.exe in memory to avoid detection.[125]
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports Crash or Limit depending on the variant.[126]
The Winnti for Windows installer loads a DLL using rundll32.[127][128]
Wizard Spider has utilized rundll32.exe to deploy ransomware commands with the use of WebDAV.[129]
ZxShell has used rundll32.exe to execute other DLLs and named pipes.[130]