Skip to main content

 

Splunk Lantern

Loading of Dynwrapx module

 

DynamicWrapperX is an ActiveX component that can be used in a VBScript to call Windows API functions. It requires the dynwrapx.dll to be installed and registered. Registering or loading dynwrapx.dll to a host is an indicator of suspicious activity.

This search returns instances of the DynamicWrapperX or dynwrapx.dll image loaded onto a host.

Data required 

Sysmon for Microsoft or Linux

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational
EventCode=7 (ImageLoaded="*\\dynwrapx.dll" OR OriginalFileName="dynwrapx.dll" OR Product="DynamicWrapperX") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational Search Sysmon operational logs.

EventCode=7

(ImageLoaded="*\\dynwrapx.dll" OR OriginalFileName="dynwrapx.dll" OR Product="DynamicWrapperX")  

Search for event code 7, when an image loaded event logs when a module is loaded in a specific process. Search within these logs for potentially suspicious dynwrapx.dll activities.
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Image QueryName QueryStatus process_name QueryResults Computer  Return the values for the fields shown, sorting first by Image and then by the rest of the fields shown.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

You should treat activity that shows the registering or loading of dynwrapx.dll to a host as highly suspicious. In most instances when it is maliciously used, the best way to triage is to review parallel processes and pivot on the process_guid field. 

During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.

If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

You might also be interested in other processes associated with the Detecting indicators of Remcos RAT malware use case.