Windows
Analysis Report
dllhost.exe
Overview
General Information
Detection
Score: | 21 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- dllhost.exe (PID: 6248 cmdline:
"C:\Users\ user\Deskt op\dllhost .exe" MD5: 0A9BA6AF531AFE7FA5E4FB973852D863)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: |
Click to jump to signature section
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
1% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431562 |
Start date and time: | 2024-04-25 13:11:57 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | dllhost.exe |
Detection: | SUS |
Classification: | sus21.winEXE@1/0@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 4.714421863047094 |
TrID: |
|
File name: | dllhost.exe |
File size: | 5'120 bytes |
MD5: | 0a9ba6af531afe7fa5e4fb973852d863 |
SHA1: | 5d0b0222b0f37a85d64b9283611e940313e21348 |
SHA256: | 8a8116429189d631fc00596278c92a363ec734f0cde76f52c7456fdc9c56e384 |
SHA512: | 1fb8c0f37292ba59ec78344507e41de341bc877edb40e9e77959b5badf62af05034bb9e6969fefc0b2f1236373cb9963c145663c92757193d3025967d2393d13 |
SSDEEP: | 96:oCti1ouW2maxZmO2w22NU/Mn3gnI/rEWLQaXpWwG:oC8ouWDimO2fZMnwnI/wWLT5W |
TLSH: | 47B1C6139BAE8D2CF8A20770253E2B63A42ABA304B65539F9157626E3DB5581CC70737 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.An3.An3.A.<.Ao3.An3.AM3.A.<.Ai3.A.<.Aa3.A.<.Ao3.A.<.Al3.A.<.Ao3.ARichn3.A................PE..L...eQ.H................... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x100143c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x48025165 [Sun Apr 13 18:31:01 2008 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 4ff1f68ccd29a7b7095c4514d9d1011d |
Instruction |
---|
push 00000070h |
push 010010B8h |
call 00007FEF211A148Dh |
xor ebx, ebx |
push ebx |
mov edi, dword ptr [01001008h] |
call edi |
cmp word ptr [eax], 5A4Dh |
jne 00007FEF211A12B1h |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
cmp dword ptr [ecx], 00004550h |
jne 00007FEF211A12A4h |
movzx eax, word ptr [ecx+18h] |
cmp eax, 0000010Bh |
je 00007FEF211A12B1h |
cmp eax, 0000020Bh |
je 00007FEF211A1297h |
mov dword ptr [ebp-1Ch], ebx |
jmp 00007FEF211A12B9h |
cmp dword ptr [ecx+00000084h], 0Eh |
jbe 00007FEF211A1284h |
xor eax, eax |
cmp dword ptr [ecx+000000F8h], ebx |
jmp 00007FEF211A12A0h |
cmp dword ptr [ecx+74h], 0Eh |
jbe 00007FEF211A1274h |
xor eax, eax |
cmp dword ptr [ecx+000000E8h], ebx |
setne al |
mov dword ptr [ebp-1Ch], eax |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [01001048h] |
pop ecx |
or dword ptr [01002030h], FFFFFFFFh |
or dword ptr [01002034h], FFFFFFFFh |
call dword ptr [0100104Ch] |
mov ecx, dword ptr [0100202Ch] |
mov dword ptr [eax], ecx |
call dword ptr [01001050h] |
mov ecx, dword ptr [01002028h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [01001054h] |
mov eax, dword ptr [eax] |
mov dword ptr [01002038h], eax |
call 00007FEF211A13DFh |
cmp dword ptr [0100201Ch], ebx |
jne 00007FEF211A129Eh |
push 01001636h |
call dword ptr [01001058h] |
pop ecx |
call 00007FEF211A13AFh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x16b0 | 0x50 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3000 | 0x3d8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1090 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x10c8 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x250 | 0x44 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x90 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x9f6 | 0xa00 | 15a911535a0661dee75e3e277cfd669d | False | 0.684765625 | data | 6.167483148276392 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x2000 | 0x3c | 0x200 | 1b87fa2b9d8767271a0a79f001925632 | False | 0.0625 | Matlab v4 mat-file (little endian) , numeric, rows 16782001, columns 0 | 0.19586940608732903 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3000 | 0x3d8 | 0x400 | 83956140f8104b936854f316092a5fdc | False | 0.4365234375 | data | 3.300476873219901 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x3060 | 0x374 | data | English | United States | 0.4683257918552036 |
DLL | Import |
---|---|
msvcrt.dll | _controlfp, _except_handler3, _c_exit, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit |
KERNEL32.dll | TerminateProcess, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, lstrcmpiA, MultiByteToWideChar, GetCurrentProcess, lstrlenA |
ole32.dll | CoRegisterSurrogateEx, CoInitializeEx, CLSIDFromString, CoUninitialize |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 13:12:28 |
Start date: | 25/04/2024 |
Path: | C:\Users\user\Desktop\dllhost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1000000 |
File size: | 5'120 bytes |
MD5 hash: | 0A9BA6AF531AFE7FA5E4FB973852D863 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |