comsvcs.dll

  • File Path: C:\Windows\system32\comsvcs.dll
  • Description: COM+ Services

Hashes

Type Hash
MD5 67B51761A4BC3BD1B5367A22BA1A5B65
SHA1 88C7BD6A30CBFB069CD34B04B0844D4AABE0577C
SHA256 1AEA658899018FB370C39412BA62E3E8E8FD7A636657593530BD67005B3754B7
SHA384 5D4A90012E16872A31D5C676C4EA07CB1D33BEFB2D3A4C299F8F2E8952FAFC5765D20D7F74003D9D5615E846D40A0971
SHA512 FD5834F676519D18DE098747ECA70C516A18148369EFEDD8E7123071943E114CF23EBCFC360EF8C28403794E7ED713B243B662085FABAAB99DA59BAEA3CA34EF
SSDEEP 24576:m4yGAJkRUbm3c0cCCUO3o5VxzYTw4F+64w:mPPkR1M0lJO3mVxzYk4F+6
IMP 407CA0F7B523319D758A40D7C0193699
PESHA1 347D2C6532B66A90EC62C74D799765446099ADD7
PE256 B7FCA33B779F632076859B0F34099E88034FE3F51DD888930A849A33F3EA0EEC

DLL Exports:

Function Name Ordinal Type
GetMTAThreadPoolMetrics 19 Exported Function
GetObjectContext 21 Exported Function
GetManagedExtensions 20 Exported Function
DllRegisterServer 17 Exported Function
DllUnregisterServer 18 Exported Function
RecycleSurrogate 25 Exported Function
SafeRef 26 Exported Function
MTSCreateActivity 23 Exported Function
GetTrkSvrObject 22 Exported Function
MiniDumpW 24 Exported Function
CoLoadServices 11 Exported Function
ComSvcsExceptionFilter 12 Exported Function
CoLeaveServiceDomain 10 Exported Function
CoCreateActivity 8 Exported Function
CoEnterServiceDomain 9 Exported Function
DllCanUnloadNow 15 Exported Function
DllGetClassObject 16 Exported Function
DispManGetContext 14 Exported Function
ComSvcsLogError 13 Exported Function
CosGetCallContext 5 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: COMSVCS.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 2001.12.10941.16384 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.329
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/1aea658899018fb370c39412ba62e3e8e8fd7a636657593530bd67005b3754b7/detection/

Possible Misuse

The following table contains possible examples of comsvcs.dll being misused. While comsvcs.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll,#24' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll MiniDump' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll #24' # Process dumping method apart from procdump DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml title: Lsass Memory Dump via Comsvcs DLL DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml CallTrace\|contains: 'comsvcs.dll' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml - '\comsvcs.dll' DRL 1.0
sigma proc_creation_win_mal_hermetic_wiper_activity.yml - '\comsvcs.dll MiniDump ' DRL 1.0
sigma proc_creation_win_process_dump_rundll32_comsvcs.yml title: Process Dump via Rundll32 and Comsvcs.dll DRL 1.0
sigma proc_creation_win_process_dump_rundll32_comsvcs.yml description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll DRL 1.0
sigma proc_creation_win_process_dump_rundll32_comsvcs.yml - 'comsvcs.dll' DRL 1.0
sigma proc_creation_win_susp_comsvcs_procdump.yml title: Process Dump via Comsvcs DLL DRL 1.0
sigma proc_creation_win_susp_comsvcs_procdump.yml description: Detects process memory dump via comsvcs.dll and rundll32 DRL 1.0
LOLBAS comsvcs.yml Name: Comsvcs.dll  
LOLBAS comsvcs.yml - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"  
LOLBAS comsvcs.yml Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.  
LOLBAS comsvcs.yml - Path: c:\windows\system32\comsvcs.dll  
atomic-red-team index.md - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full MIT License. © 2018 Red Canary
signature-base apt_ua_hermetic_wiper.yar $sx1 = “/c powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump” ascii wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.