{ "id": "197c7bee-3c2c-44bf-ad71-ce14c9879619", "created_at": "2026-04-06T00:16:50.279652Z", "updated_at": "2026-04-10T13:13:01.650787Z", "deleted_at": null, "sha1_hash": "2625262feffecd3ba0b0f0887ad3595f9f77931c", "title": "Beyond good ol’ Run key, Part 5", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67784, "plain_text": "Beyond good ol’ Run key, Part 5\r\nPublished: 2013-12-08 · Archived: 2026-04-05 19:13:55 UTC\r\nTime for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order\r\nHijacking’ where order in which paths are searched for is abused).\r\nWindows is a huge operating system and not all components are cleaned up every new release. Thanks to that,\r\nthere is a lot of legacy code that due to its age and changes in the structure of the operating system no longer\r\nwork, or are simply left alone – probably just an implementation of the good ol’ rule at work – if it doesn’t break,\r\ndon’t touch it.\r\nMany Windows applications residing in the system32 directory are not used on daily basis – some of them indeed\r\nlook like legacy apps (you can still run syncapp.exe on your Windows XP copy to enjoy the Briefcase experience\r\n:)), and some of them may be used only in specific configurations (e.g. NT Backup). The mechanisms that some of\r\nthese legitimate applications use often cater for different scenarios and environments and… thanks to that, they\r\ncan be often exploited.\r\nToying around with system32 executables I came across a few legitimate applications that may work as a hidden\r\npersistence mechanism . The ‘features’ I am describing are not new, and are identical with the fxsst.dll trick\r\nmentioned in the 3rd part of the series and described by Mandiant in detail. The idea is simple – some programs\r\nattempt to load specifically named libraries that are some sort of extension, or plugins and in some cases\r\ndebugging tools – and they can continue to run, even if these DLLs implementing this extra functionality are not\r\npresent.\r\nHere’s a list of pairs I came across (and I bet there is more; note, some of these may work on other OS versions as\r\nwell – usually the same code is used across many consecutive OS versions):\r\nntbackup.exe and edbbcli.dll (Windows XP)\r\nNtbackup is a Backup Utility for Windows (available on XP, but not 7). When launched it starts a Backup or\r\nRestore Wizard.\r\nThe interesting thing is that when loaded, this .exe is also attempting to load a library called:\r\n %windir%\\system32\\edbbcli.dll\r\nThus, dropping such named DLL and making ntbackup run every time Windows starts either by using Scheduled\r\njob or using any of the well-known Autorun mechanisms one can achieve quite a stealthy code execution.\r\nntbackup.exe and esebcli2.dll (Windows XP)\r\nhttps://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\r\nPage 1 of 4\n\nThe situation is exactly the same here; anytime ntbackup launches, it attempts to load the esebcli2.dll DLL from\r\nthe following location:\r\n%windir%\\system32\\esebcli2.dll\r\nThe legitimate mechanism of loading these two NT Backup DLLs is explained here.\r\nmrt.exe and bcrypt.dll (Windows XP)\r\nMRT is a Malicious Software Removal Tool. When launched, it attempts to load bcrypt.dll; thus, dropping it in the\r\nsystem32 directory on XP will lead to (somehow ironic) execution of the code:\r\n%windir%\\system32\\bcrypt.dll\r\nThe bcrypt.dll doesn’t exist on XP, but it does on Windows 7, so this trick will only work on older Windows.\r\nsessmgr.exe and SalemHook.dll (Windows XP)\r\nYet another binary that can load a targeted DLL is a Remote Desktop Help Session Manager executable on\r\nWindows XP. Once launched, it tries to load the following DLL:\r\n%windir%\\system32\\SalemHook.dll\r\ncertreq.exe and msfte.dll (Windows 7)\r\nCertreq is a tool that allows to work with certificates. When launched it attempts to load the following DLL:\r\n%windir%\\system32\\msfte.dll\r\ncertreq.exe and msTracer.dll (Windows 7)\r\nCertreq seems to like non-existing DLLs as it also attempts to load the following DLL:\r\n%windir%\\system32\\msTracer.dll\r\nFXSCOVER.exe and TPPrnUIENU.dll (Windows 7)\r\nThis tool is a Fax Cover Page Editor. When loaded, it attempts to load the following DLL\r\n%windir%\\system32\\spool\\DRIVERS\\W32X86\\3\\TPPrnUIENU.dll\r\nhttps://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\r\nPage 2 of 4\n\nThe name of the DLL (TPPrnUIENU.dll) suggests that:\r\nIt is a companion to %windir%\\system32\\spool\\drivers\\w32x86\\3\\TPPrnUI.DLL (there are plenty of\r\n%windir%\\system32\\spool\\drivers\\w32x86\\3\\TPPrnUI*.dll files, but not the TPPrnUIENU.dll)\r\nThe ENU in the file name indicates it is a Satellite DLL used in localization and it’s providing data for the\r\nEnglish language (the other TPPrnUI*.dll present on the system use other language identifiers e.g.\r\nTPPrnUIfra.dll, TPPrnUIita.dll)\r\nIn theory, these Satellite DLLs are resource-only DLLs, but the TPPrnUI.DLL is using a LoadLibraryW to load\r\nthem –  a big mistake, since the LoadLibraryW calls DllMain of the loaded DLL (LoadLibraryEx with\r\nLOAD_LIBRARY_AS_DATAFILE is a better choice here). Hence, a code execution.\r\ndxdiag.exe and DXGIDebug.dll (Windows 7)\r\ndxdiag.exe is a DirectX Diagnostic tool. When executed, it attempts to load the following DLL (for debugging\r\npurposes as a part of DXGI framework):\r\n%windir%\\system32\\DXGIDebug.dll\r\nmsinfo32.exe and fveapi.dll (Windows 8.1)\r\nThe msinfo32.exe is a system information tool. When executed, it will try to load the following DLL:\r\n%windir%\\system32\\fveapi.dll\r\nInterestingly, this DLL is present on Windows 7 and Windows 8, but not present on Windows 8.1 (in default\r\ninstallation). The DLLs description is Microsoft Vista BitLocker Drive Encryption API and it offers access to\r\nBitLocker API.\r\nnarrator.exe and MSTTSLocEnUS.DLL (Windows 8)\r\nLast one on the list is Narrator.exe that attempts to load the following DLL:\r\n%windir%\\system32\\speech\\engines\\tts\\MSTTSLocEnUS.DLL\r\nAgain, then file naming suggests localization gone wrong.\r\n32-bit processes, Wow64.dll and Wow64Log.dll (Windows 7 64-bit)\r\nThis is not a process-specific autorun mechanism, but a system-wide way of introducing a DLL into all 32-bit\r\nprocesses running under control of WOW64 by dropping the following 64-bit DLL on the 64-bit Windows 7.\r\n%windir%\\system32\\Wow64Log.dll\r\nhttps://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\r\nPage 3 of 4\n\nThis trick has been discovered and described in detail by Wallied Assar on his blog earlier this year.\r\nWhile Wow64Log.dll appears to be made available with a purpose of being a legitimate logging feature, it can be\r\nabused as a persistent mechanism as well.\r\nSource: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\r\nhttps://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/" ], "report_names": [ "beyond-good-ol-run-key-part-5" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434610, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2625262feffecd3ba0b0f0887ad3595f9f77931c.pdf", "text": "https://archive.orkl.eu/2625262feffecd3ba0b0f0887ad3595f9f77931c.txt", "img": "https://archive.orkl.eu/2625262feffecd3ba0b0f0887ad3595f9f77931c.jpg" } }