Windows Analysis Report
conhost[1].exe

Overview

General Information

Sample name: conhost[1].exe
Analysis ID: 1417362
MD5: 7417006ac4f38dbe0efd36647c3ebae4
SHA1: 4c7e2524a6d7cd99be807b7bfa544517cfd594d4
SHA256: c43cf46192da061dd6169e55aac4d2d08a6c33c039a7dac0d88aa897661cbc87
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Source: conhost[1].exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: conhost.pdbUGP source: conhost[1].exe
Source: Binary string: conhost.pdb source: conhost[1].exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08C0390 OpenClipboard,EnableScrollBar, 0_2_00007FF7E08C0390
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08C0360 SetClipboardData, 0_2_00007FF7E08C0360
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E087532C GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00007FF7E087532C
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08C0370 GetClipboardData, 0_2_00007FF7E08C0370
Contains functionality to call native functions
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E086E17C _Init_thread_footer,NtOpenFile,NtOpenFile, 0_2_00007FF7E086E17C
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FA4A0 GetWindowLongPtrW,NtdllDefWindowProc_W,SetWindowLongPtrW, 0_2_00007FF7E07FA4A0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent, 0_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FA43C WideCharToMultiByte,NtdllDefWindowProc_W, 0_2_00007FF7E07FA43C
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E086E9E0 GetLastError,FreeLibrary,memset,NtdllDefWindowProc_W,RegisterClassW,CreateWindowExW,GetLastError, 0_2_00007FF7E086E9E0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08771C8 RtlCreateUnicodeString,AlpcInitializeMessageAttribute,NtAlpcConnectPort,AlpcGetMessageAttribute,AlpcGetMessageAttribute,NtAlpcQueryInformationMessage,memset, 0_2_00007FF7E08771C8
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08094D4 NtQueryVolumeInformationFile, 0_2_00007FF7E08094D4
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0877A68 NtAlpcSendWaitReceivePort, 0_2_00007FF7E0877A68
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08024C0: memset,DeviceIoControl,_Init_thread_footer,default_delete, 0_2_00007FF7E08024C0
Detected potential crypto function
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08001E0 0_2_00007FF7E08001E0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E086A2D4 0_2_00007FF7E086A2D4
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FA540 0_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07F4890 0_2_00007FF7E07F4890
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07F3840 0_2_00007FF7E07F3840
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07F4030 0_2_00007FF7E07F4030
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E088A198 0_2_00007FF7E088A198
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08625E0 0_2_00007FF7E08625E0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0874554 0_2_00007FF7E0874554
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E088A910 0_2_00007FF7E088A910
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0844964 0_2_00007FF7E0844964
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E084EB40 0_2_00007FF7E084EB40
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E082ACA8 0_2_00007FF7E082ACA8
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E087EC6C 0_2_00007FF7E087EC6C
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0874DE8 0_2_00007FF7E0874DE8
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E088AD80 0_2_00007FF7E088AD80
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FCFA0 0_2_00007FF7E07FCFA0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0801250 0_2_00007FF7E0801250
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E081728C 0_2_00007FF7E081728C
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E084D5C4 0_2_00007FF7E084D5C4
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0883544 0_2_00007FF7E0883544
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FF690 0_2_00007FF7E07FF690
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E087D7C4 0_2_00007FF7E087D7C4
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FD7F0 0_2_00007FF7E07FD7F0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0801780 0_2_00007FF7E0801780
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0809960 0_2_00007FF7E0809960
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E086FAF0 0_2_00007FF7E086FAF0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FFCB0 0_2_00007FF7E07FFCB0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0843FE0 0_2_00007FF7E0843FE0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0875F30 0_2_00007FF7E0875F30
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E084E0F8 0_2_00007FF7E084E0F8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E07F9A04 appears 387 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E08296D4 appears 68 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E082CFCC appears 159 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E082D614 appears 148 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E08132F8 appears 175 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E080F780 appears 54 times
Source: C:\Users\user\Desktop\conhost[1].exe Code function: String function: 00007FF7E07F61E4 appears 141 times
Sample file is different than original file name gathered from version info
Source: conhost[1].exe Binary or memory string: OriginalFilename vs conhost[1].exe
Source: conhost[1].exe, 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Source: conhost[1].exe, 00000000.00000000.1596244904.00007FF7E08C1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Source: conhost[1].exe Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: conhost[1].exe Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cpponecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp
Source: classification engine Classification label: clean9.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E080C444 CoInitializeEx,CoCreateInstance,CoCreateInstance, 0_2_00007FF7E080C444
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0849608 FindResourceExW,LoadResource,LockResource,memmove, 0_2_00007FF7E0849608
Source: C:\Users\user\Desktop\conhost[1].exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
Source: conhost[1].exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\conhost[1].exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: conhost[1].exe String found in binary or memory: <!--StartFragment -->
Source: conhost[1].exe String found in binary or memory: <!--StartFragment -->
Source: conhost[1].exe String found in binary or memory: Software\Microsoft\Windows\CurrentVersionPutInputInBuffer: EventsWritten != 1, 1 expectedInvalid EventType: 0x%xonecore\windows\core\console\open\src\host\misc.cpponecore\windows\core\console\open\src\host\output.cppinvalid array<T, N> subscript onecore\windows\core\console\open\src\host\convarea.cppInvalid screen buffer size (0x%x, 0x%x) onecore\windows\core\console\open\src\host\_output.cpponecore\windows\core\console\open\src\host\utils.cppStartEndUnknownTextUnit_CharacterTextUnit_FormatTextUnit_WordTextUnit_LineTextUnit_ParagraphTextUnit_PageTextUnit_DocumentUIA_AutomationFocusChangedEventIdNavigateDirection_FirstChildNavigateDirection_LastChildNavigateDirection_NextSiblingNavigateDirection_PreviousSiblingonecore\windows\core\console\open\src\host\registry.cpponecore\windows\core\console\open\src\host\ntprivapi.cppNtOpenProcessNtQueryInformationProcessNtCloseWriteCharsLegacy failed %xWriteCharsLegacy failed 0x%xonecore\windows\core\console\open\src\host\renderdata.cpponecore\windows\core\console\open\src\host\utf8towidecharparser.cpponecore\windows\core\console\open\src\host\conimeinfo.cpp"" invalid stoi argumentstoi argument out of rangeonecore\windows\core\console\open\src\host\commandnumberpopup.cpponecore\windows\core\console\open\src\host\commandlistpopup.cpp onecore\windows\core\console\open\src\host\exemain.cppConhostV1.dllConsoleCreateIoThreadonecore\windows\core\console\open\src\buffer\out\cursor.cpponecore\windows\core\console\open\src\buffer\out\textbuffer.cpp&lt;&gt;&amp;</TITLE></HEAD><BODY><!DOCTYPE><HTML><HEAD><TITLE><!--StartFragment --><DIV STYLE="display:inline-block;white-space:pre;background-color:;font-family:'',monospace;font-size:pt;padding:px;"><BR></SPAN><SPAN STYLE="color:</DIV><!--EndFragment --></BODY></HTML>Version:0.9
Source: unknown Process created: C:\Users\user\Desktop\conhost[1].exe "C:\Users\user\Desktop\conhost[1].exe"
Source: C:\Users\user\Desktop\conhost[1].exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\conhost[1].exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32 Jump to behavior
Source: conhost[1].exe Static PE information: Image base 0x140000000 > 0x60000000
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: conhost[1].exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: conhost[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: conhost.pdbUGP source: conhost[1].exe
Source: Binary string: conhost.pdb source: conhost[1].exe
Source: conhost[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: conhost[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: conhost[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: conhost[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: conhost[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: conhost[1].exe Static PE information: section name: .didat
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent, 0_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07F8448 IsIconic, 0_2_00007FF7E07F8448
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\conhost[1].exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\conhost[1].exe Last function: Thread delayed
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E080CBF0 DelayLoadFailureHook,LdrResolveDelayLoadedAPI, 0_2_00007FF7E080CBF0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E07F9B68 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF7E07F9B68
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0807F10 RegOpenKeyW,RegEnumValueW,GetProcessHeap,HeapAlloc,RegCloseKey,GetProcessHeap,HeapFree, 0_2_00007FF7E0807F10
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E08103A0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E08103A0
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E0810598 SetUnhandledExceptionFilter, 0_2_00007FF7E0810598
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E080F7A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E080F7A8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\conhost[1].exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Users\user\Desktop\conhost[1].exe Code function: 0_2_00007FF7E081023C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7E081023C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417362 Sample: conhost[1].exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 9 5 conhost[1].exe 2->5         started        process3 7 cmd.exe 1 5->7         started       
No contacted IP infos