conhost[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

conhost.exe
Size

354KB
MD5

eaa3ee12b2caa0365f2b4d495b50ad22
SHA1

26e0c2405c62e3dc6ab0527d0a5787c2484664e8
SHA256

f30686dd09b81d4080ab58def209173772fa132fa3762688274270afa6407872
SHA512

54c8945dcc3313b72fabc7c377350e5aacd626342652f6761e2415a653d3fe6c443ffa02ab36fdf61725266cdfe4ea174e2e196768b1f99096227edf66032774
SSDEEP

6144:DFfLdxsj3kCyrith2E/ZFgCcnUlPZYylSb/4wmb0MOZUWhGWjcj2m:RjYTks2E/vgCHPzIQqrtmq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
conhost.exe

Files

conhost.exe
.exe windows:6 windows x64

766bbbc554510caa578dc083d295d781

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdi32

SetDIBitsToDevice
PatBlt
CreateRectRgn
CombineRgn
InvertRgn
DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
SelectPalette
StretchDIBits
DeleteDC
CreateDIBitmap
GetObjectW
BitBlt
GetDIBits
GetStockObject
GdiFlush
GetNearestColor
SetDCBrushColor
SetTextColor
SetBkColor
CreateFontIndirectW
GetTextMetricsW
GetTextExtentPoint32W
EnumFontFamiliesExW
GetTextFaceW
GetDeviceCaps
SetBkMode
GetCurrentObject
GetRegionData
GetRgnBox
PolyTextOutW
SetSystemPaletteUse
RealizePalette
CreateSolidBrush
GetCharWidth32W
CreateBitmap
TranslateCharsetInfo
SetBitmapBits
StretchBlt
GetBitmapBits
GetStringBitmapW
PolyPatBlt

user32

GetDlgItemTextW
IsDlgButtonChecked
SendNotifyMessageW
EndDialog
DialogBoxParamW
GetWindowPlacement
SetWindowPlacement
SetWindowLongW
CopyIcon
DestroyIcon
GetKeyboardLayout
SystemParametersInfoW
ActivateKeyboardLayout
GetKeyboardLayoutNameA
PtInRect
GetWindowLongPtrW
RegisterWindowMessageW
SetWindowsHookExW
GetMessageW
DispatchMessageW
UnhookWindowsHookEx
GetKeyboardState
ToUnicodeEx
SetMenuItemInfoW
LoadMenuW
AppendMenuW
EnableMenuItem
GetWindowTextW
SetWindowTextW
SetWindowPos
AdjustWindowRectEx
GetCaretBlinkTime
MonitorFromRect
GetMonitorInfoW
LoadCursorW
GetWindowRect
ClientToScreen
CreateWindowExW
GetDC
CheckRadioButton
GetSystemMenu
SetActiveWindow
ShowWindow
SetTimer
SetScrollInfo
ScrollDC
GetWindowLongW
KillTimer
ReleaseDC
DefWindowProcW
IsIconic
UnpackDDElParam
CreateIconFromResourceEx
SendMessageTimeoutW
ReuseDDElParam
BeginPaint
DrawIcon
EndPaint
WindowFromPoint
SetCursor
TrackPopupMenuEx
LoadIconW
LoadImageW
RegisterClassExW
SetProcessDPIAware
TranslateMessageEx
EnterReaderModeHelper
PrivateExtractIconExW
MapWindowPoints
GetClientRect
GetCursorPos
InvalidateRect
ConsoleControl
GetClipboardData
MapVirtualKeyW
VkKeyScanW
SendDlgItemMessageW
SetWindowLongPtrW
GetSystemMetrics
SendMessageW
PostMessageW
LoadStringW
DestroyWindow
ScreenToClient
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetKeyState
SetCapture
ReleaseCapture
NotifyWinEvent
GetKeyboardLayoutNameW

msvcrt

_cexit
_ismbblead
__setusermatherr
__set_app_type
atoi
_itoa
free
malloc
_exit
_initterm
__C_specific_handler
_acmdln
_fmode
_commode
?terminate@@YAXXZ
memmove
__getmainargs
exit
_amsg_exit
_XcptFilter
wcscmp
wcschr
_local_unwind
wcsncmp
memcmp
wcstoul
memcpy
memset
wcsrchr
_vsnwprintf

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlIntegerToUnicodeString
RtlUnicodeToMultiByteSize
RtlInitializeCriticalSectionAndSpinCount
RtlConsoleMultiByteToUnicodeN
NtOpenKey
RtlOpenCurrentUser
NtEnumerateValueKey
NtQueryValueKey
RtlCreateTagHeap
RtlDosSearchPath_U
RtlExitUserProcess
NtSetInformationProcess
RtlInitializeCriticalSection
RtlInitCodePageTable
RtlUnicodeToMultiByteN
RtlMultiByteToUnicodeN
RtlCustomCPToUnicodeN
RtlOemToUnicodeN
RtlUnicodeToOemN
RtlReAllocateHeap
RtlExitUserThread
NtQueryVolumeInformationFile
RtlUnicodeStringToInteger
RtlInitUnicodeString
RtlGetCriticalSectionRecursionCount
RtlLeaveCriticalSection
NtSetEvent
NtClearEvent
NtCreateEvent
RtlInitializeSRWLock
RtlEnterCriticalSection
NtQueryInformationProcess
NtOpenProcess
NtVdmControl
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
NtDeviceIoControlFile
RtlCompareUnicodeString
RtlSizeHeap
NtReleaseMutant
NtWaitForSingleObject
NtCreateMutant
NtUnmapViewOfSection
NtCreateSection
DbgPrintEx
RtlFreeHeap
NtClose
RtlAllocateHeap
NtDuplicateObject
NtMapViewOfSection

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
GetStringTypeW

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FindResourceExW
GetModuleFileNameW
FreeLibrary
GetModuleHandleW
LoadResource
LockResource
LoadLibraryExW

api-ms-win-core-localization-l1-2-1

IsValidCodePage
GetACP
GetOEMCP
GetCPInfo

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-errorhandling-l1-1-1

GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

SetProcessShutdownParameters
GetCurrentThread
CreateThread
GetStartupInfoW
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess

api-ms-win-core-processenvironment-l1-2-0

GetEnvironmentVariableW
SetEnvironmentVariableW
GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-registry-l1-1-0

RegGetValueW

api-ms-win-core-file-l1-2-1

CreateFileW
SetFilePointer
ReadFile

api-ms-win-core-sysinfo-l1-2-1

GetSystemInfo
GetTickCount
GetSystemTimeAsFileTime
GetVersionExW
GetSystemDirectoryW

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-obsolete-l1-1-0

LocalReAlloc
LocalFree
LocalAlloc
GlobalAlloc
GlobalFree
GlobalUnlock
GlobalSize
GlobalLock

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrlenA

api-ms-win-core-privateprofile-l1-1-1

GetPrivateProfileStringW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW

imm32

ImmGetGuideLineW
ImmReleaseContext
ImmGetConversionStatus
ImmGetOpenStatus
ImmGetContext
ImmGetCandidateListW
ImmNotifyIME
ImmGetCompositionStringW
ImmAssociateContextEx
ImmTranslateMessage
ImmAssociateContext
ImmGetProperty

oleaut32

SysAllocString
VariantClear
SysAllocStringLen
SysStringLen
VariantInit
SysFreeString
SysReAllocString

api-ms-win-core-com-l1-1-1

CoUninitialize
CoCreateInstance
CoInitializeEx

api-ms-win-core-memory-l1-1-2

VirtualQuery
VirtualAlloc
VirtualProtect

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

Sections

.text
Size: 251KB - Virtual size: 251KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

FE_TEXT
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

766bbbc554510caa578dc083d295d781

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

msvcrt

ntdll

api-ms-win-core-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-privateprofile-l1-1-1

api-ms-win-core-sidebyside-l1-1-0

imm32

oleaut32

api-ms-win-core-com-l1-1-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

Sections

.text Size: 251KB - Virtual size: 251KB

FE_TEXT Size: 24KB - Virtual size: 24KB

.data Size: 5KB - Virtual size: 5KB

.pdata Size: 24KB - Virtual size: 24KB

.idata Size: 12KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 16B

.rsrc Size: 34KB - Virtual size: 33KB

.reloc Size: 512B - Virtual size: 496B

.text
Size: 251KB - Virtual size: 251KB

FE_TEXT
Size: 24KB - Virtual size: 24KB

.data
Size: 5KB - Virtual size: 5KB

.pdata
Size: 24KB - Virtual size: 24KB

.idata
Size: 12KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 16B

.rsrc
Size: 34KB - Virtual size: 33KB

.reloc
Size: 512B - Virtual size: 496B