Date: 12/30/2024
Severity: High
Summary
Identifies the execution of a ".CPL" file from the user's temporary directory using the "Control_RunDLL" export function of the Shell32 DLL. This activity has been observed in several Raspberry Robin variants.
Indicators of Compromise (IOC) List
ParentImage : | - '\rundll32.exe' - '\control.exe' |
Image : | - '\rundll32.exe' |
OriginalFileName : | - 'RUNDLL32.EXE' |
CommandLine : | - 'shell32.dll' - 'Control_RunDLL' - '.CPL' - '\AppData\Local\Temp\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | ((resourcename = "Windows Security" AND eventtype = "4688" ) AND parentprocessname IN ("\rundll32.exe","\control.exe" ) AND processname like "\rundll32.exe") AND (commandline like "shell32.dll" and commandline like "Control_RunDLL" and commandline like ".CPL") |
Detection Query 2 : | ((technologygroup = "EDR" ) AND parentprocessname IN ("\rundll32.exe","\control.exe" ) AND processname like "\rundll32.exe") AND (commandline like "shell32.dll" and commandline like "Control_RunDLL" and commandline like ".CPL") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml