Process Writing DynamicWrapperX

name: Process Writing DynamicWrapperX
id: b0a078e4-2601-11ec-9aec-acde48001122
version: 8
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.
data_source:
    - Sysmon EventID 11
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
      WHERE Filesystem.file_name="dynwrapx.dll"
      BY Filesystem.action Filesystem.dest Filesystem.file_access_time
         Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
         Filesystem.file_name Filesystem.file_path Filesystem.file_acl
         Filesystem.file_size Filesystem.process_guid Filesystem.process_id
         Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `process_writing_dynamicwrapperx_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).
references:
    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
    - https://www.script-coding.com/dynwrapx_eng.html
    - https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
    - https://tria.ge/210929-ap75vsddan
    - https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89
tags:
    analytic_story:
        - Remcos
    asset_type: Endpoint
    mitre_attack_id:
        - T1059
        - T1559.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog