conhost[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

conhost.exe
Size

805KB
MD5

fda681bc1de6819e418cac520a863c33
SHA1

3e10874ff7498ed10ff091d38bb81acb4ea3e48b
SHA256

870777b9392fa4f8d6f06961ea58a4aba8784b68e3e2ef05bc97a29ef3ac1783
SHA512

53d746c9d671b2168fe0dc840c41a9d7815c6d196e748f4a2c368ff31480b2ca64aa15c04b264894e01a4fd92ba578e6e3e6fce2aaef7e2528e7b5991bed4231
SSDEEP

12288:1VxDfUEs4ZtABiOsGc31wBmbZTxGULAE4lxftJ0YHlYhTK2toozsGPj:1L8EskeIlF9FTxGULRS70YFYhTKVt+j

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
conhost.exe

Files

conhost.exe
.exe windows x64

76923aa1bf85799f169fc2a8bb03894a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

_Mtx_lock
?_Xbad_function_call@std@@YAXXZ
?_Throw_C_error@std@@YAXH@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_unlock
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
_initterm_e
_initterm

api-ms-win-crt-string-l1-1-0

wcsncmp
memset
wcscmp
wcsnlen

api-ms-win-crt-private-l1-1-0

_o__get_wide_winmain_command_line
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itoa_s
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
memmove
_o__wcsicmp
_o__wcsnicmp
_o_atoi
_o_calloc
_o_exit
_o_free
_o_iswspace
_o_malloc
_o_sqrt
_o_terminate
_o_towlower
_o_towupper
_o_wcscpy_s
_o_wcstol
_o_wcstoul
_o_wmemcpy_s
__C_specific_handler
_CxxThrowException
_o__configure_wide_argv
_o__configthreadlocale
_o__exit
_o__cexit
_o__callnewh
_o__errno
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcschr
_o__crt_atexit
__std_terminate
__CxxFrameHandler3
memcmp
memcpy

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExW
LockResource
FindResourceExW
LoadStringW
GetModuleHandleW
GetProcAddress
GetModuleHandleExW
GetModuleFileNameW
LoadResource
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ReleaseSRWLockExclusive
OpenSemaphoreW
ReleaseMutex
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
InitializeCriticalSection
CreateEventW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EnterCriticalSection
CreateSemaphoreExW
WaitForSingleObject
TryEnterCriticalSection
CreateEventExW
ReleaseSemaphore
InitializeCriticalSectionEx
SetEvent
ResetEvent
CreateMutexExW
LeaveCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetStartupInfoW
OpenProcessToken
CreateProcessW
UpdateProcThreadAttribute
GetCurrentProcessId
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
GetCurrentThread
CreateThread
SetProcessShutdownParameters
ExitThread

api-ms-win-core-localization-l1-2-0

GetACP
FormatMessageW
GetCPInfo
IsValidCodePage
GetOEMCP

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent
OutputDebugStringA

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-file-l1-1-0

WriteFile
ReadFile

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer
DeleteTimerQueueEx
CreateTimerQueue

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
GetStdHandle
SearchPathW
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegGetValueW
RegOpenKeyExW
RegEnumValueW
RegOpenCurrentUser
RegQueryValueExW

api-ms-win-core-string-l1-1-0

GetStringTypeW
CompareStringOrdinal
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemDirectoryW
GetWindowsDirectoryW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventActivityIdControl
EventRegister
EventSetInformation
EventWriteTransfer

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW
PathIsSameRootW
PathFileExistsW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-heap-l2-1-0

LocalAlloc
GlobalFree
LocalFree
LocalReAlloc
GlobalAlloc

ntdll

RtlCreateUnicodeString
AlpcInitializeMessageAttribute
RtlFreeHeap
NtAlpcConnectPort
AlpcGetMessageAttribute
NtAlpcQueryInformationMessage
NtAlpcSendWaitReceivePort
CsrClientCallServer
RtlQueryPackageClaims
NtQueryVolumeInformationFile
RtlAllocateHeap

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-registry-l2-1-0

RegCreateKeyW
RegOpenKeyW

api-ms-win-core-synch-l1-2-0

Sleep
SignalObjectAndWait

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-security-base-l1-1-0

GetSidSubAuthority
GetTokenInformation
GetSidSubAuthorityCount

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoTaskMemFree
CoUninitialize
CoCreateInstance

api-ms-win-core-heap-obsolete-l1-1-0

GlobalSize
GlobalLock
GlobalUnlock

api-ms-win-core-io-l1-1-1

CancelSynchronousIo

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-path-l1-1-0

PathCchRemoveExtension

api-ms-win-shell-shellcom-l1-1-0

SHCoCreateInstance

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 576KB - Virtual size: 575KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 152KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

76923aa1bf85799f169fc2a8bb03894a

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-heap-l2-1-0

ntdll

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-io-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-com-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-shell-shellcom-l1-1-0

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 576KB - Virtual size: 575KB

.rdata Size: 152KB - Virtual size: 152KB

.data Size: 4KB - Virtual size: 17KB

.pdata Size: 33KB - Virtual size: 33KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 34KB - Virtual size: 33KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 576KB - Virtual size: 575KB

.rdata
Size: 152KB - Virtual size: 152KB

.data
Size: 4KB - Virtual size: 17KB

.pdata
Size: 33KB - Virtual size: 33KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 34KB - Virtual size: 33KB

.reloc
Size: 3KB - Virtual size: 2KB