Executing this function via rundll32.exe leads to loading of mscoreei.dll from one of the default .NET directories.

However…

The RunDll32ShimW function takes into account the value of the environmental variable COMPlus_InstallRoot when it searches for the mscoreei.dll file.

So…

If we change the value of the COMPlus_InstallRoot variable to point to a directory of our choice, place the payload in a subdirectory associated with the .NET version installed on the system, we can sideload our payload like this:

set COMPLUS_InstallRoot=c:\test\
rundll32.exe mscoree.dll, RunDll32ShimW

There is a well known shell32.dll lolbas that relies on a function called Control_RunDLL. BUT, there is one more. The shell32.dll library exports a function called Control_RunDLLNoFallback under ordinal #44.

We can use it to launch CPL files using the syntax below:

"C:\windows\SysWOW64\rundll32.exe" "C:\windows\SysWOW64\shell32.dll",#44 "<localpath>.cpl"

I didn’t discover this technique – it was observed being used by various malware families including RaspberryRobin.