dllhost.exe

  • File Path: C:\Windows\SysWOW64\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 B5A6D2FB3F4521C37D613DE52AB3467D
SHA1 ACCEC11EA57BF2260D9C31C2C32D01CCA940E3D6
SHA256 F95B7BA752C6452DA9D83F84CA7307AE079D220718BCB2BABF145903BAC894DD
SHA384 C57856474AD5B0067A6576726CB0699C5E0B0EBC5EF67EBE103D9AA6916067E349C6D50E704CA88C897300459A4E5792
SHA512 FBE13C39C6FC6CD8653F3BCE97F36104D2457F62574336A4E5FFEA0FC51A9D3FBBE657AEA8CF037F492AE4983B2141E116235208EBBBA3CB55F9C291ACB6641E
SSDEEP 384:3bme1zCcDlan3MNcyWL5W6RmXjDBRJadWJZ6lPUs2L:K0XBe3MNc/doXj1PaWb
IMP FB1328DBA53A95E7775F51164B2E5AEB
PESHA1 488EDC7DD3B05021B69B3AF76702CAEAD44C9E34
PE256 1D4128888B571B4DF5E627BAF56E2D6254D43CFC3D08BD94795EFE882AF0EFD3

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/f95b7ba752c6452da9d83f84ca7307ae079d220718bcb2babf145903bac894dd/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 30
C:\Windows\system32\backgroundTaskHost.exe 35
C:\WINDOWS\system32\backgroundTaskHost.exe 30
C:\Windows\system32\browser_broker.exe 30
C:\WINDOWS\system32\dllhost.exe 35
C:\Windows\system32\dllhost.exe 46
C:\Windows\system32\oobe\FirstLogonAnim.exe 32
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 38
C:\Windows\system32\prproc.exe 30
C:\WINDOWS\system32\prproc.exe 29
C:\Windows\system32\ScriptRunner.exe 32
C:\Windows\system32\SlideToShutDown.exe 32
C:\WINDOWS\system32\SlideToShutDown.exe 33
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 30
C:\Windows\SysWOW64\backgroundTaskHost.exe 36
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 29
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 29
C:\WINDOWS\SysWOW64\dllhost.exe 36

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.