Beyond good ol’ Run key, Part 17

August 31, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

.NET components (a couple of DLLs loaded anytime .NET apps are executed) in the Windows 8.X have been somehow modified and when they are loaded they look for an environment variable called APPX_PROCESS. I am not sure what it is – googling around didn’t bring any results, but experimenting with it led me to a discovery of yet another phantom DLL called WinAppXRT.dll. If the environment variable is set anytime some .NET components are loaded they in turn will attempt to load the aforementioned DLL (e.g. launching powershell or any .NET app should be enough).

Since environment variables can be set via Registry we can use it to develop yet another persistence mechanism.

Adding the following:

[HKEY_CURRENT_USER\Environment]
"APPX_PROCESS"="1"

and dropping the WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the WinAppXRT.dll is loaded everytime user launches an application using .NET.

WinAppXRT

Share this :)

Comments are closed.