dllhost.exe

  • File Path: C:\Windows\system32\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 D2AB39EA2C0FCD172751F84BDA723A97
SHA1 DCE2AF90E45FB9FC05ECBC9BEDDEE53FB66F3C6D
SHA256 C4E078607DB2784BE7761C86048DFFA6F3EF04B551354A32FCDEC3B6A3450905
SHA384 CCC1F0E8A510FD05AB9BBFCD47454760C85FCC926C2563853DEDC9873E78CE0F13FCCEF52081A654B90EC5ED9A93DADD
SHA512 2EBDF10D0052507DDBC6E1E1190488CB55A206B6911055EC6C96B013A40512DEF75E01E701B6413BAC38737EC2ED65FF2A731AFAA86D5662D4EA33F592ED641C
SSDEEP 384:1fL7t7tzRB8sdDNacPWL5WjmXjDBRJ9olLRPpt:1fltzRhacQrXj1PY
IMP 68E651F131674892AE7E46556EB24726
PESHA1 4436AAF849CB924FB521EC14365AD6E9C4F7A94B
PE256 993991710080440F1678B9A877B554F7C7A21349A42D0173557E1B0A94A491FE

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/c4e078607db2784be7761c86048dffa6f3ef04b551354a32fcdec3b6a3450905/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 35
C:\Windows\system32\backgroundTaskHost.exe 36
C:\WINDOWS\system32\backgroundTaskHost.exe 32
C:\Windows\system32\browser_broker.exe 33
C:\WINDOWS\system32\dllhost.exe 57
C:\Windows\system32\dllhst3g.exe 49
C:\Windows\system32\oobe\FirstLogonAnim.exe 35
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 40
C:\Windows\system32\prproc.exe 33
C:\WINDOWS\system32\prproc.exe 32
C:\Windows\system32\ScriptRunner.exe 33
C:\Windows\system32\SlideToShutDown.exe 29
C:\WINDOWS\system32\SlideToShutDown.exe 35
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 32
C:\Windows\SysWOW64\backgroundTaskHost.exe 38
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 32
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 32
C:\WINDOWS\SysWOW64\dllhost.exe 38
C:\Windows\SysWOW64\dllhost.exe 46

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.