Windows Analysis Report
dllhost.exe

Overview

General Information

Sample name: dllhost.exe
Analysis ID: 1561842
MD5: 7549250ca5b7f98a08707dea4ffb06fc
SHA1: 5cc5fa87159c1f3d49fc262318e1d473deee1908
SHA256: d90bf2a4dda2e45cf2406dec9e3252487029347d239121a388675cd7580f2f53
Tags: exemineruser-Niki
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected VMProtect packer
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dllhost.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: dllhost.exe ReversingLabs: Detection: 87%
Machine Learning detection for sample
Source: dllhost.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 5480, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: dllhost.exe String found in binary or memory: new job from stratum+tcp://
Source: dllhost.exe String found in binary or memory: new job from stratum+tcp://
Uses 32bit PE files
Source: dllhost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: dllhost.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDF85C FindFirstFileW,FindClose, 0_2_00FDF85C
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDF278 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 0_2_00FDF278
Source: dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://online.drweb.com/result/
Source: dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, dllhost.exe, 00000000.00000003.1682531825.0000000003530000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/

System Summary
barindex
Detected VMProtect packer
Source: dllhost.exe Static PE information: .vmp0 and .vmp1 section names
Detected potential crypto function
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDD7F0 0_2_00FDD7F0
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014AD87F 0_2_014AD87F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dllhost.exe Code function: String function: 014A9648 appears 35 times
PE file contains more sections than normal
Source: dllhost.exe Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: dllhost.exe, 00000000.00000002.1685545668.0000000001CB7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7za.exe, vs dllhost.exe
Uses 32bit PE files
Source: dllhost.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.evad.mine.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFA10C GetDiskFreeSpaceW, 0_2_00FFA10C
Source: C:\Users\user\Desktop\dllhost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dllhost.exe ReversingLabs: Detection: 87%
Source: dllhost.exe String found in binary or memory: -Installation run additional miner, changed name exename
Source: dllhost.exe String found in binary or memory: ISO_6937-2-add
Source: dllhost.exe String found in binary or memory: -STOPPING:
Source: dllhost.exe String found in binary or memory: -STARTING:
Source: dllhost.exe String found in binary or memory: NATS-SEFI-ADD
Source: dllhost.exe String found in binary or memory: NATS-DANO-ADD
Source: dllhost.exe String found in binary or memory: -Installed today.
Source: dllhost.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: dllhost.exe String found in binary or memory: jp-ocr-b-add
Source: dllhost.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: dllhost.exe String found in binary or memory: jp-ocr-hand-add
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: dllhost.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: dllhost.exe Static file information: File size 6231040 > 1048576
Source: dllhost.exe Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5e2c00
Source: dllhost.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014B079B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_014B079B
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: dllhost.exe Static PE information: section name: .didata
Source: dllhost.exe Static PE information: section name: .vmp0
Source: dllhost.exe Static PE information: section name: .vmp1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100A000 push ecx; mov dword ptr [esp], eax 0_2_0100A001
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100A030 push ecx; mov dword ptr [esp], eax 0_2_0100A031
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFC174 push ecx; mov dword ptr [esp], ecx 0_2_00FFC175
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0105436C push ecx; mov dword ptr [esp], eax 0_2_0105436E
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFC268 push ecx; mov dword ptr [esp], ecx 0_2_00FFC269
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100E248 push ecx; mov dword ptr [esp], edx 0_2_0100E24A
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100E28C push ecx; mov dword ptr [esp], edx 0_2_0100E28E
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFA36C push ecx; mov dword ptr [esp], ecx 0_2_00FFA370
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100E2B4 push ecx; mov dword ptr [esp], eax 0_2_0100E2B5
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFA330 push ecx; mov dword ptr [esp], ecx 0_2_00FFA333
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100E540 push ecx; mov dword ptr [esp], edx 0_2_0100E541
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01031540 push ecx; mov dword ptr [esp], edx 0_2_01031541
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0101A55C push ecx; mov dword ptr [esp], ecx 0_2_0101A55F
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0101643C push ecx; mov dword ptr [esp], eax 0_2_0101643D
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01016454 push ecx; mov dword ptr [esp], eax 0_2_01016455
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_010324D8 push ecx; mov dword ptr [esp], eax 0_2_010324DA
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01013764 push ecx; mov dword ptr [esp], edx 0_2_01013767
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FE0604 push ecx; mov dword ptr [esp], eax 0_2_00FE0609
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FE18C0 push ecx; mov dword ptr [esp], edx 0_2_00FE18C1
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01016850 push ecx; mov dword ptr [esp], eax 0_2_01016851
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FD7938 push ecx; mov dword ptr [esp], eax 0_2_00FD7939
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0100E8D0 push ecx; mov dword ptr [esp], edx 0_2_0100E8D2
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01023A34 push ecx; mov dword ptr [esp], edx 0_2_01023A35
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FF8B74 push ecx; mov dword ptr [esp], ecx 0_2_00FF8B78
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01032D10 push ecx; mov dword ptr [esp], eax 0_2_01032D11
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01032D30 push ecx; mov dword ptr [esp], eax 0_2_01032D31
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0104FC70 push ecx; mov dword ptr [esp], ecx 0_2_0104FC74
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FF9EDC push ecx; mov dword ptr [esp], eax 0_2_00FF9EDF
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDCE48 push ecx; mov dword ptr [esp], edx 0_2_00FDCE49
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_01054FC8 push ecx; mov dword ptr [esp], edx 0_2_01054FC9
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFBFAC push ecx; mov dword ptr [esp], ecx 0_2_00FFBFAF

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\dllhost.exe Memory written: PID: 5480 base: 910007 value: E9 EB DF 62 76 Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Memory written: PID: 5480 base: 76F3DFF0 value: E9 1E 20 9D 89 Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dllhost.exe, dllhost.exe, 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\dllhost.exe RDTSC instruction interceptor: First address: 1C85E56 second address: 1C85E62 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 pop ecx 0x00000004 cwde 0x00000005 cmovb di, bx 0x00000009 xchg dh, bh 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dllhost.exe RDTSC instruction interceptor: First address: 14F9F7D second address: 14F9F89 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 pop ecx 0x00000004 cwde 0x00000005 cmovb di, bx 0x00000009 xchg dh, bh 0x0000000b pop ebx 0x0000000c rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\dllhost.exe Special instruction interceptor: First address: 1C88680 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\dllhost.exe API coverage: 7.7 %
Potential time zone aware malware
Source: C:\Users\user\Desktop\dllhost.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDF85C FindFirstFileW,FindClose, 0_2_00FDF85C
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FDF278 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 0_2_00FDF278
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_0102FF9C GetSystemInfo, 0_2_0102FF9C
Source: dllhost.exe, 00000000.00000002.1683417497.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\dllhost.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\dllhost.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dllhost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dllhost.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014A9149 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_014A9149
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014B079B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_014B079B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FD7238 GetProcessHeap,HeapFree, 0_2_00FD7238
Enables debug privileges
Source: C:\Users\user\Desktop\dllhost.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014A9149 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_014A9149
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014AE696 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_014AE696
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_014A7F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_014A7F58
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dllhost.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 0_2_00FDF9B4
Source: C:\Users\user\Desktop\dllhost.exe Code function: EnumSystemLocalesW, 0_2_010045EC
Source: C:\Users\user\Desktop\dllhost.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00FDEE14
Source: C:\Users\user\Desktop\dllhost.exe Code function: GetLocaleInfoW, 0_2_00FFEF8C
Source: C:\Users\user\Desktop\dllhost.exe Code function: GetLocaleInfoA, 0_2_014AFA65
Source: C:\Users\user\Desktop\dllhost.exe Code function: 0_2_00FFC7D4 GetLocalTime, 0_2_00FFC7D4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561842 Sample: dllhost.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Xmrig cryptocurrency miner 2->12 14 5 other signatures 2->14 5 dllhost.exe 2->5         started        process3 signatures4 16 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->16 18 Tries to evade analysis by execution special instruction (VM detection) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20 22 Hides threads from debuggers 5->22
No contacted IP infos