Display.dll

  • File Path: C:\Windows\SysWOW64\Display.dll
  • Description: Display Control Panel

Hashes

Type Hash
MD5 751BEC2A959EA8907525021B418CB21B
SHA1 4D222D6B9DF6B491ED0AFC5B7845B529F1765873
SHA256 8C31A3DB328A9DD77E3C3DF733E3ADD2C9238CC05809A1E658D99A478E96B9B0
SHA384 05E6AA611684E16D7B003B62CC0BCE40D56D804861E7FCCC01E41D45698BA2CED44F0EEC53692D90D56161776FE19C75
SHA512 A3CAF7A9D6DC0396552C1512A2101F835F2BCE924663109B8B38ADBEA71B035F65E962D97F9B984D7B65B37DEDDE31F8226F47E81D73A670B71541CD400192D7
SSDEEP 1536:8LYsLpph1aFgiML8EnEtzUVIY1eAjG5A4rrideoFSqvlh1b9aLeagSYG+6SU//:8XLpph1VczUTIA6W4aeoUqvuSuYG
IMP 2FCAA88E40D72508F0F5835F4990ADBD
PESHA1 2F388872C0FB1379CCC14EF971E9F0F6C1263843
PE256 030550F2C2347E1DCBBFA68C01D26917B840A1848E52E1B709976F6F6097F3D9

DLL Exports:

Function Name Ordinal Type
DllGetClassObject 4 Exported Function
ShowAdapterSettings 2 Exported Function
DisplaySaveSettingsEx 1 Exported Function
DllCanUnloadNow 3 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DISPLAY.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/8c31a3db328a9dd77e3c3df733e3add2c9238cc05809a1e658d99a478e96b9b0/detection/

Possible Misuse

The following table contains possible examples of Display.dll being misused. While Display.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma lnx_apt_equationgroup_lnx.yml - 'xspy -display ' DRL 1.0
sigma lnx_shell_susp_rev_shells.yml - 'xterm -display 1' DRL 1.0
sigma sysmon_in_memory_assembly_execution.yml C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" DRL 1.0
malware-ioc attor === Service display names © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc oceanlotus * HKCU\SOFTWARE\Intel\Display\igfxcui\igfxtray\;[NUMBER];[DWORD]`` © ESET 2014-2018
malware-ioc rtm DISPLAY © ESET 2014-2018
malware-ioc stantinko b.style.display = "none"; © ESET 2014-2018
malware-ioc winnti_group === Service display name © ESET 2014-2018
atomic-red-team Getting_Lateral.md T1117 Splunk MIT License. © 2018 Red Canary
atomic-red-team Getting_Lateral.md T1003 Splunk MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Find and Display Safari Browser Version [macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: Find and Display Safari Browser Version [macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Successful execution of this test will display multiple useranames and passwords/hashes to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1036.004.md <blockquote>Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. MIT License. © 2018 Red Canary
atomic-red-team T1037.004.md sudo echo osascript -e ‘tell app “Finder” to display dialog “Hello World”’ » /etc/rc.common MIT License. © 2018 Red Canary
atomic-red-team T1056.002.md osascript -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to activate’ -e ‘tell app “System Preferences” to display dialog “Software Update requires that you type your password to apply changes.” & return & return default answer “” with icon 1 with hidden answer with title “Software Update”’ MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”. MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain MIT License. © 2018 Red Canary
atomic-red-team T1069.002.md Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain MIT License. © 2018 Red Canary
atomic-red-team T1069.002.md Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain MIT License. © 2018 Red Canary
atomic-red-team T1069.002.md test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md # if credentials aren’t correct, it will break just above and goes into catch block, so if we’re here we can display success MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md # if credentials aren’t correct, it will break just above and goes into catch block, so if we’re here we can display success MIT License. © 2018 Red Canary
atomic-red-team T1113.md Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour MIT License. © 2018 Red Canary
atomic-red-team T1518.md - Atomic Test #1 - Find and Display Internet Explorer Browser Version MIT License. © 2018 Red Canary
atomic-red-team T1518.md - Atomic Test #3 - Find and Display Safari Browser Version MIT License. © 2018 Red Canary
atomic-red-team T1518.md ## Atomic Test #1 - Find and Display Internet Explorer Browser Version MIT License. © 2018 Red Canary
atomic-red-team T1518.md ## Atomic Test #3 - Find and Display Safari Browser Version MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ). MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md when sucessfully executed, the test is going to display sysmon driver instance if it is installed. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md when sucessfully executed, the test is going to display installed AV software. MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1552.006.md Successful test execution will either display the credentials found in the GPP files or indicate “No preference files found”. MIT License. © 2018 Red Canary
atomic-red-team roll-the-dice.md <table id="roll-the-dice" style="width: auto; margin: 0 auto; display: table; min-width: 700px; max-width: 700px;"> MIT License. © 2018 Red Canary
atomic-red-team roll-the-dice.md <blockquote class="random-test-description" style="display: block;"></blockquote> MIT License. © 2018 Red Canary
signature-base apt_apt41.yar $s1 = “Rundll32.exe "%s", DisPlay 64” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s1 = “USAGE: xspy -display -delay -up" fullword ascii CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s3 = “Do not display MAC addresses” CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s8 = “display help for this function” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.