Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dllhost.exe

Overview

General Information

Sample name:dllhost.exe
Analysis ID:1431562
MD5:0a9ba6af531afe7fa5e4fb973852d863
SHA1:5d0b0222b0f37a85d64b9283611e940313e21348
SHA256:8a8116429189d631fc00596278c92a363ec734f0cde76f52c7456fdc9c56e384
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: System File Execution Location Anomaly
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • dllhost.exe (PID: 6248 cmdline: "C:\Users\user\Desktop\dllhost.exe" MD5: 0A9BA6AF531AFE7FA5E4FB973852D863)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\dllhost.exe", CommandLine: "C:\Users\user\Desktop\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\dllhost.exe, NewProcessName: C:\Users\user\Desktop\dllhost.exe, OriginalFileName: C:\Users\user\Desktop\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Users\user\Desktop\dllhost.exe", ProcessId: 6248, ProcessName: dllhost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: dllhost.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: dllhost.pdb source: dllhost.exe
Source: dllhost.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: sus21.winEXE@1/0@0/0
Source: dllhost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dllhost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\dllhost.exeSection loaded: apphelp.dllJump to behavior
Source: dllhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dllhost.pdb source: dllhost.exe
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dllhost.exe0%ReversingLabs
dllhost.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431562
Start date and time:2024-04-25 13:11:57 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:dllhost.exe
Detection:SUS
Classification:sus21.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.714421863047094
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:dllhost.exe
File size:5'120 bytes
MD5:0a9ba6af531afe7fa5e4fb973852d863
SHA1:5d0b0222b0f37a85d64b9283611e940313e21348
SHA256:8a8116429189d631fc00596278c92a363ec734f0cde76f52c7456fdc9c56e384
SHA512:1fb8c0f37292ba59ec78344507e41de341bc877edb40e9e77959b5badf62af05034bb9e6969fefc0b2f1236373cb9963c145663c92757193d3025967d2393d13
SSDEEP:96:oCti1ouW2maxZmO2w22NU/Mn3gnI/rEWLQaXpWwG:oC8ouWDimO2fZMnwnI/wWLT5W
TLSH:47B1C6139BAE8D2CF8A20770253E2B63A42ABA304B65539F9157626E3DB5581CC70737
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.An3.An3.A.<.Ao3.An3.AM3.A.<.Ai3.A.<.Aa3.A.<.Ao3.A.<.Al3.A.<.Ao3.ARichn3.A................PE..L...eQ.H...................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x100143c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x48025165 [Sun Apr 13 18:31:01 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:4ff1f68ccd29a7b7095c4514d9d1011d

Entrypoint Preview

Instruction
push 00000070h
push 010010B8h
call 00007FEF211A148Dh
xor ebx, ebx
push ebx
mov edi, dword ptr [01001008h]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FEF211A12B1h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FEF211A12A4h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FEF211A12B1h
cmp eax, 0000020Bh
je 00007FEF211A1297h
mov dword ptr [ebp-1Ch], ebx
jmp 00007FEF211A12B9h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FEF211A1284h
xor eax, eax
cmp dword ptr [ecx+000000F8h], ebx
jmp 00007FEF211A12A0h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FEF211A1274h
xor eax, eax
cmp dword ptr [ecx+000000E8h], ebx
setne al
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [01001048h]
pop ecx
or dword ptr [01002030h], FFFFFFFFh
or dword ptr [01002034h], FFFFFFFFh
call dword ptr [0100104Ch]
mov ecx, dword ptr [0100202Ch]
mov dword ptr [eax], ecx
call dword ptr [01001050h]
mov ecx, dword ptr [01002028h]
mov dword ptr [eax], ecx
mov eax, dword ptr [01001054h]
mov eax, dword ptr [eax]
mov dword ptr [01002038h], eax
call 00007FEF211A13DFh
cmp dword ptr [0100201Ch], ebx
jne 00007FEF211A129Eh
push 01001636h
call dword ptr [01001058h]
pop ecx
call 00007FEF211A13AFh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x16b00x50.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x30000x3d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x10900x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10c80x40.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2500x44
IMAGE_DIRECTORY_ENTRY_IAT0x10000x90.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9f60xa0015a911535a0661dee75e3e277cfd669dFalse0.684765625data6.167483148276392IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x20000x3c0x2001b87fa2b9d8767271a0a79f001925632False0.0625Matlab v4 mat-file (little endian) , numeric, rows 16782001, columns 00.19586940608732903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x30000x3d80x40083956140f8104b936854f316092a5fdcFalse0.4365234375data3.300476873219901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x30600x374dataEnglishUnited States0.4683257918552036

Imports

DLLImport
msvcrt.dll_controlfp, _except_handler3, _c_exit, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit
KERNEL32.dllTerminateProcess, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, lstrcmpiA, MultiByteToWideChar, GetCurrentProcess, lstrlenA
ole32.dllCoRegisterSurrogateEx, CoInitializeEx, CLSIDFromString, CoUninitialize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:12:28
Start date:25/04/2024
Path:C:\Users\user\Desktop\dllhost.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\dllhost.exe"
Imagebase:0x1000000
File size:5'120 bytes
MD5 hash:0A9BA6AF531AFE7FA5E4FB973852D863
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly