Iertutil.dll Is Either Not Designed

[Muriel Pelley]

Dropboxstopped working (no Icon in tool tray; update service and normal service both stopped). If i tried running from the start menu nothing appears to happen (no crashes or anything of interested in the Windows event log)

Install keeps failing with error "C:\Windows\SYSTEM32\dbgcore.DLL is either not designed to run on Windows or it contains an error. Try installing the program again..............Error Status 0xc000012f"

This error dialog is shown 6 times (for one install attempt), then the installation appears to continue (progress bar shown), followed by "Dropbox.exe The Exception unknown software exception (0xe00f0003) occured in the application at location 0x0000000076B59AB2", then another error dialog "Dropbox installer: The installer encountered error 2."

I have (as an experiment) replaced it with an older version, from another Windows 10 machine which is running DropBox with no problems. That did not fix or change the issue (it was dated 2018, and is version 10.0.17763.1)

It appears that the copy of DBGCORE.DLL was damaged in the Windows 'Image' (a part of windows where backups of critical files are kept); Windows wouldn't allow the use of the DLL, and couldn't repair it. I used the following method to fix this:

Thanks to everyone who tried to help here - I found the details of how to do the above repair by searching elsewhere on the web, but special thanks to www.wintips.org where I discovered how to create my own WIM file (which is critical if your windows installation is corrupted). I think the problem was originally somehow caused by a windows update that went wrong...hopefully this may help someone else

Did this post help you? If so, give it a Like below to let us know.

Need help with something else? Ask me a question!

Find Tips & Tricks Discover more ways to use Dropbox here!

Interested in Community Groups? Click here to join!

I had forgotten to mention. After one of the multiple failed attempts to install (and also de-install) I went back to the Windows Control Panel and re-attempted a de-install from Programs and Features. That worked (so at the moment I do NOT have DropBox installed)

I have just checked those instructions for 'Error 2'; neither of the program files folders exist, but there IS a log file for the installer - contents below. Notice that it appears to have reported an issue with a DLL also (last line)

Did this post help you? If so, give it a Like below to let us know.

Need help with something else? Ask me a question!

Find Tips & Tricks Discover more ways to use Dropbox here!

Interested in Community Groups? Click here to join

Also, the machine is definitely up to date with Microsoft updates (I have a slight suspicion that it is an update that caused it - the DBGCORE.DLL that seems to be the cause of the issue is dated 03-Nov-2020, though I have tried going back to a 2018 version copied from another machine (that is working). Both versions of the DLL had the same issue. I think (especailly having seen the DropBox error log, included above), that Dropbox or Python doesn't think the DLL is valid - but I'm pretty certain it is...properties (including details) look good, and no other software appears to be having issues...

Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON.

As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access.

Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.

In collaboration with Google's TAG, Mandiant notified multiple additional organizations across various sectors that have been compromised by this campaign. The organizations impacted by this campaign originated from a diverse range of countries spanning multiple continents, including:

An analysis of victim organizations within specific sectors reveals a notable geographic distribution. Nearly all targeted organizations operating in the shipping and logistics sector were located in Europe and the Middle East, with a single exception. In contrast, all affected organizations within the media and entertainment sector were located in Asia.

A significant portion of the victimized organizations within the shipping and logistics sector maintained operations across multiple continents, often as subsidiaries or affiliates of larger multinational corporations operating within the same industry.

Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore. At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting.

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity that may be outside of state control. The group's financially motivated intrusions have primarily targeted the video game industry, involving activities such as stealing source code and digital certificates, manipulating virtual currencies, and attempting to deploy ransomware. APT41 is unique among tracked China-based actors in that it utilizes non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.

The group's espionage operations have targeted sectors such as healthcare, high-tech, and telecommunications, and other areas of economic interest. APT41 has frequently used software supply chain compromises, where they inject malicious code into legitimate software updates. They also employ advanced techniques like the use of bootkits and compromised digital certificates. The group's consistent targeting of the video game industry for personal gain is believed to have contributed to the development of tactics later used in their espionage operations.

DUSTPAN is an in-memory dropper written in C/C++ that decrypts and executes an embedded payload. Different variations of DUSTPAN may also load an external payload off disk from a hard-coded file path encrypted in the Portable Executable (PE) file. DUSTPAN may be configured to inject the decrypted payload into another process or create a new thread and execute it within its own process space.

Previously used by APT41 in several 2021 and 2022 breaches, DUSTPAN resurfaced in a recent investigation. This time, APT41 disguised DUSTPAN as a Windows binary by executing the malicious file as w3wp.exe or conn.exe. Additionally, the DUSTPAN samples were made persistent via Windows services; for example, one of the services was called Windows Defend.

The DUSTPAN samples were configured to load BEACON payloads into memory that were encrypted using chacha20. The BEACON payloads, once executed, communicated using either self-managed infrastructure hosted behind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels. BEACON configuration can be found in the Indicators of Compromise section.

DUSTTRAP is a multi-stage plugin framework with multiple components. DUSTTRAP begins with a launcher (Stage 1) that AES-128-CFB decrypts an encrypted on-disk PE file .dll.mui and executes it in memory. Decryption relies on the target machine's HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID, thereby keying the launcher to the victim system. The decrypted PE from the launcher is a memory-only dropper (Stage 2) that is responsible for decrypting an embedded configuration and two or more embedded plugin dynamic-link libraries (DLLs) from its .lrsrc section. Once executed, these DLLs begin the setup of the modular plugin system. The first observed plugin (Stage 3) is responsible for low-level network setup and encryption. The second observed plugin (Stage 4) is responsible for higher-level network operations and may function as a downloader for additional plugins that, when loaded, may register themselves with prior components in the execution chain for additional functionality. We've observed the second plugin to vary in functionality and more plugin variants likely exist.

3a8082e126