dllhost.exe

  • File Path: C:\WINDOWS\system32\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 680045579134D8AD9D0400A9DBE30786
SHA1 30A89E38CAF7A4C9AA7D7047C366DF215D4724EF
SHA256 6A8F00C4BF7CE696EDEBA9E6C401FF9DD7EB59F34AF25D7EEE591B4837D67C7C
SHA384 2DD1E43D7598916C273956EA33E6A91F06E0AF3D299E71E222FCF9A8EB8F71EFDB865AA41CE3823F160546B45C80CE46
SHA512 E2C06402959D9B5F71CF010D1E5B72C0DE19FD7D592BD4FBCC2D8314103F993C9F9197C3CDEBC77A1F2E722A9A6749170CE91637FA89B4FE86A126C1791B639B
SSDEEP 384:B7tftzRB8spSrc/Wx5W9mXjDBRJMXllW3/:3tz9uc2ZXj1PMXm/

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 41
C:\Windows\system32\backgroundTaskHost.exe 33
C:\WINDOWS\system32\backgroundTaskHost.exe 35
C:\Windows\system32\browser_broker.exe 35
C:\Windows\system32\dllhost.exe 57
C:\WINDOWS\system32\dllhst3g.exe 47
C:\Windows\system32\oobe\FirstLogonAnim.exe 40
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 41
C:\Windows\system32\prproc.exe 33
C:\WINDOWS\system32\prproc.exe 40
C:\Windows\system32\ScriptRunner.exe 35
C:\Windows\system32\SlideToShutDown.exe 35
C:\WINDOWS\system32\SlideToShutDown.exe 35
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 43
C:\Windows\SysWOW64\backgroundTaskHost.exe 35
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 32
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 29
C:\WINDOWS\SysWOW64\dllhost.exe 43
C:\Windows\SysWOW64\dllhost.exe 35

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.