Any good reason for rundll32.exe to try and access the internet?

[a090]

Hi all,

I recently set up my new workstation with Windows 11 (local account). After installing chipset drivers, graphics drivers, and the rest of my drivers from the motherboard manufacturer’s website, I installed my AV (F-Secure) and some second opinion scanners (MBAM, HM.P, EEK, and ESET Online Scanner). After a few days, I began receiving popups from WFC alerting me to rundll32.exe attempting to connect via TCP to a remote IP. It’s one single pop-up, but occurs every day since I choose the Block now and ask me later option. I ran a lookup on the IP and it lead back to Microsoft in Redmond. However, I’m not convinced, details for why below, alongside questions.

Questions / comments:

1. Is it ever necessary for rundll32.exe to make a remote connection like this? Even if it is to a Microsoft-controlled IP?
2. The reason I don’t necessarily trust the Microsoft IP is because it could be someone using Azure to host something malicious. I’m not sure if it’s possible to differentiate between Microsoft’s own infrastructure and that of Azure. Pretty sure they’re under the same ASN. I’m not saying I suspect anything suspicious on my system… I’m simply curious if this is normal behavior for rundll32.exe, behavior that I was oblivious to until I installed WFC.
3. Can someone check via VirusTotal (not from Properties in File Explorer) if their C:\Windows\System32\rundll32.exe is signed? Is rundll32.exe supposed to be signed? Mine isn’t. But it is located in the correct /System32/ folder. I uploaded it to VirusTotal and it says the file isn’t signed. But Google searches lead me to believe the file should be signed. Like many other Windows core files are. If someone can verify by uploading their rundll32.exe to VirusTotal, that would be great. Especially if you can grab a screenshot of the Details tab on VT.
4. Please see image below of my WFC alert. Yes, I took this photo with my phone because I haven’t installed ShareX just yet. Still have a fresh workstation with just my chipset drivers, mobo drivers, graphics drivers, AV, and secondary scanners. And yes I blurred out a bunch of random stuff just messing around, ha.
   1. Imgur: (save as below)
   2. ImgBB: IMG-6721 hosted at ImgBB (same as above)

At this point, with my system being so fresh, the only thing that could have infected it was the drivers installation. But I made sure multiple times before downloading anything to ensure I’m on the correct site. I run a WHOIS on the download page’s URL / domain and verify I’m on the correct site before every download. And they all get scanned by VirusTotal, and their digital signature is verified. So there’s a slim chance I got “fake drivers.” So if I am indeed infected, then the official driver sites for either ASUS, NVIDIA, or AMD are compromised.

I sincerely doubt this theory, and I’m guessing it is normal for rundll32.exe to make these connections from time to time. Please confirm for me.

Many thanks!

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

The reason I don’t necessarily trust the Microsoft IP is because it could be someone using Azure to host something malicious.
heck the I.P. Address using this site:

Find IP Address - Lookup and locate an ip address

Find detailed IP Address information with this free IP lookup and locator

www.findip-address.com

If you want me to check your system for possible malware download and execute the program below.


Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

 

[a090]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

The reason I don’t necessarily trust the Microsoft IP is because it could be someone using Azure to host something malicious.
heck the I.P. Address using this site:

Find IP Address - Lookup and locate an ip address

Find detailed IP Address information with this free IP lookup and locator

www.findip-address.com

If you want me to check your system for possible malware download and execute the program below.


Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

Hey nasdaq, I appreciate you reaching out. I don’t suspect malware and was just curious if said file normally accesses the internet or not. My build is fresh and all secondary opinion scanners seem to indicate all is well.

I was also able to confirm (via your IP address lookup link) that the remote IP being connected to by rundll32.exe is owned by Microsoft Azure. But, I also learned that the same holds true for smartscreen.exe, taskhostw.exe, wermgr.exe, devicecensus.exe, and a bunch of other core W11 files. They all connect to remote IPs registered to Azure.

In a way I was right. Microsoft hosts their own infrastructure and Azure in the same IP space. They’re using Azure for hosting their own files too, or rather, their own Windows files connect to Azure.

Actually, I’m not sure why this thread was moved here to Malware Removal. I’m curious about the file, but don’t suspect any malware. Appreciate the help though.

 

[nasdaq]

Hi,

My apologies for this late reply.
I leave in the Westend of Montreal, Quebec Canada and I lost the power to my home due to an Ice Storm from Wednesday night on the 5th of April . I stayed in a Hotel and got back when the power was restored late this Monday Afternoon.

If you still need help please advice.

 

[a090]

Hi,

My apologies for this late reply.
I leave in the Westend of Montreal, Quebec Canada and I lost the power to my home due to an Ice Storm from Wednesday night on the 5th of April . I stayed in a Hotel and got back when the power was restored late this Monday Afternoon.

If you still need help please advice.

Sorry to hear that nasdaq. I hope all is well with you, your family, and your house / belongings.

I’m all good on the rundll32 thing. @Trident reached out and helped put my mind at ease. We were able to ensure our rundll32.exe files were identical (they were) which meant mine was OK to access the internet.

What is weird is Microsoft didn’t correctly sign rundll32.exe. VT shows the file as unsigned, so somebody at M$ should investigate. This issue is present on Trident’s PC, mine, my father’s, and even on a fresh install of Windows via macOS Bootcamp. So I’m willing to bet rundll32.exe is unsigned for everyone, it seems.

Thanks for reaching back out. Stay safe and have a great day, @nasdaq.

 

[nasdaq]

Hi,

Thank you.. All is good here.