The dropper 869fa4dfdbabfabe87d334f85ddda234, also known as dw20.dll/msacm32.drv, is being executed by a process with a suspicious parent process, indicating potential malicious payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to persistent threats within the environment.
YARA Rule
rule backdoor_apt_pcclient
{
meta:
author = "@patrickrolsen"
maltype = "APT.PCCLient"
filetype = "DLL"
version = "0.1"
description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
date = "2012-10"
strings:
$magic = { 4d 5a } // MZ
$string1 = "www.micro1.zyns.com"
$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string3 = "msacm32.drv" wide
$string4 = "C:\\Windows\\Explorer.exe" wide
$string5 = "Elevation:Administrator!" wide
$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
condition:
$magic at 0 and 4 of ($string*)
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A legitimate system update or patching tool (e.g., Microsoft Update or Windows Server Update Services) drops the dw20.dll or msacm32.drv as part of its installation process.
Filter/Exclusion: Check the process parent or command line for known update tools, or exclude files dropped by processes with msiexec.exe or wuauclt.exe.
Scenario: A scheduled task (e.g., Task Scheduler) runs a legitimate script or executable that drops the dw20.dll or msacm32.drv as part of a routine maintenance job.
Filter/Exclusion: Exclude files dropped by processes associated with schtasks.exe or by tasks with known legitimate names (e.g., DailyCleanup or SystemUpdate).
Scenario: A legitimate audio codec or multimedia tool (e.g., Adobe Flash Player, Windows Media Player) uses msacm32.drv as part of its operation, and the file is dropped during installation or update.
Filter/Exclusion: Exclude files dropped by processes associated with known multimedia tools or by installers like msiexec.exe or setup.exe for Adobe or Microsoft products.
Scenario: A system administration task (e.g., DISM or Dism.exe) runs to repair or refresh the system, and the dw20.dll or msacm32.drv is temporarily dropped in the process.
Filter/Exclusion: Exclude files dropped by processes with dism.exe or setup.exe during system repair or image deployment.
Scenario: A third-party enterprise application (e.g., a legacy .NET application or a custom in-house tool) includes msacm32.drv as a dependency and drops it during installation or runtime