dllhost.exe

  • File Path: C:\Windows\SysWOW64\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 6F3C9485F8F97AC04C8E43EF4463A68C
SHA1 497B8CE238DB644B7E1A16B417DBB5BC052A2684
SHA256 3ED69CAAB035258E008EFBCF40DB305891B40BA02CA2737E20DEFA7C2D4AFAF7
SHA384 825CC484BCFF8DA9E29239B5401C828729E1ECB784A1C887FC2A18D7B48B09D9F9F774C397753519396046F4680107CE
SHA512 DBB04F0D2AA4AC2C234B08125564F8F9F790B115E0C5B3F3765ED3C20F3CFD24D6110AF04FEB1837E77DA84524180A85CC9B6802F9ACFBD8809B052221A04EA7
SSDEEP 384:bWHTVQyztcEUJnPjz2M2ucqWw5WG+GOxr6wDDBRJcoTCTlJSBA:bqKyxcEUR2rucs5Ar6wD1PFC6G
IMP B6A6C5247EFBD2610E3DEA44649D7041
PESHA1 2B27B79FFA64C9305AD074513EE51AEDA9A9FD23
PE256 7C06EE399035352594D2C16EBEF24098BAB91577A4DE2D38332A49AC52E6AFB5

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\dllhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/3ed69caab035258e008efbcf40db305891b40ba02ca2737e20defa7c2d4afaf7/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll 40
C:\Windows\system32\DeviceCensus.exe 32
C:\Windows\system32\LocationFrameworkPS.dll 30
C:\Windows\system32\migwiz\migres.dll 33
C:\Windows\system32\oobe\diagER.dll 32
C:\Windows\system32\ResetEngine.exe 33
C:\Windows\system32\ResetEngine.exe 29
C:\Windows\system32\ScriptRunner.exe 36
C:\Windows\system32\ScriptRunner.exe 32
C:\Windows\system32\WerEnc.dll 35
C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe 33
C:\Windows\SysWOW64\backgroundTaskHost.exe 33
C:\Windows\SysWOW64\dllhost.exe 63
C:\Windows\SysWOW64\dllhst3g.exe 58
C:\Windows\SysWOW64\WerEnc.dll 35

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.