.. /Zipfldr.dll
Star

Execute

Compressed Folder library

Paths:

c:\windows\system32\zipfldr.dll
c:\windows\syswow64\zipfldr.dll

Resources:

https://twitter.com/moriarty_meng/status/977848311603380224
https://twitter.com/bohops/status/997896811904929792
https://windows10dll.nirsoft.net/zipfldr_dll.html

Acknowledgements:

Moriarty (Execution) (@moriarty_meng)
r0lan (Obfuscation) (@r0lan)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

Execute

Launch an executable payload by calling RouteTheCall.

rundll32.exe zipfldr.dll,RouteTheCall calc.exe

Usecase: Launch an executable.
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1218.011

Launch an executable payload by calling RouteTheCall (obfuscated).

rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e

Usecase: Launch an executable.
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1218.011

.. /Zipfldr.dll Star

Execute

.. /Zipfldr.dll
Star