Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

conhost.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.129904154417161
Filename:	conhost.exe
Filesize:	1298944
MD5:	8c9dca7a1d21e402c885d50af18737d1
SHA1:	39cdfb61bf1a94d064a5ac5648ab552ca20be539
SHA256:	7cb6264b793849e31f23a7eb4f18f59a71fd3e44760be9d6052bbcdc2dfdf15c
SHA512:	2c2dda6e2a7323a587e932903943ce12db9bedb1b42ec0683e293d1d8883b57667652767ba8af8f79953d4a4719fd67eaee8ed277a887248e69b90d3729c1113
SSDEEP:	24576:iZcicBG2rYbrozA48eI193G7V3IVi4oIlXEJo7SFY8V7ygQay3VzcA8:ZiAEHxAJ4VWIB798V7FKVzc
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Detected unpacking (changes PE section rights)	Data Obfuscation
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Masquerading
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the system directory	System Summary	Masquerading
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
Creates job files (autostart)	Boot Survival	Scheduled Task/Job
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Abnormal high CPU Usage	System Summary	System Time Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains functionality to read the PEB	Anti Debugging
Found evasive API chain checking for process token information	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Sample is known by Antivirus	System Summary
Found malware configuration	AV Detection
Reads software policies	System Summary
Uses an in-process (OLE) Automation server	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to check free disk space	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Contains functionality for error logging	System Summary
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Creates mutexes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Program exit points	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Tasks\wow64.job

data

dropped

Details

File:	C:\Windows\Tasks\wow64.job
Category:	dropped
Dump:	wow64.job.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\conhost.exe
Type:	data
Entropy:	3.543933576684731
Encrypted:	false
Ssdeep:	6:P98jO/80e//5ZsFWr6AtoADCzcF/v5t/uy0lc3/a:ayS/EF4T+zcFaVua
Size:	272
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Creates job files (autostart)	Boot Survival	Scheduled Task/Job

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\conhost.exe

Details

Is windows:	false
Is dropped:	false
PID:	3648
Target ID:	1
Parent PID:	3324
Name:	conhost.exe
Path:	C:\Users\user\Desktop\conhost.exe
Commandline:	C:\Users\user\Desktop\conhost.exe
Size:	1298944
MD5:	8C9DCA7A1D21E402C885D50AF18737D1
Time:	19:49:24
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1318912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\conhost.exe

C:\Users\user\Desktop\conhost.exe start

Details

Is windows:	false
Is dropped:	false
PID:	3924
Target ID:	8
Parent PID:	1084
Name:	conhost.exe
Path:	C:\Users\user\Desktop\conhost.exe
Commandline:	C:\Users\user\Desktop\conhost.exe start
Size:	1298944
MD5:	8C9DCA7A1D21E402C885D50AF18737D1
Time:	19:49:44
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1318912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

207.148.1.174

Details

Name:	207.148.1.174
TargetID:	0
From Memory:	false
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Found malware configuration	AV Detection

146.70.53.169

Details

Name:	146.70.53.169
TargetID:	0
From Memory:	false
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Found malware configuration	AV Detection

IPs

Domain

Country

Malicious

207.148.1.174

unknown

United States

Details

IP:	207.148.1.174
TargetID:	8
Current Path:	C:\Users\user\Desktop\conhost.exe
Country:	United States
Countrycode:	USA
ASN number:	20473
ASN name:	AS-CHOOPAUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Found malware configuration	AV Detection

146.70.53.169

unknown

United Kingdom

Details

IP:	146.70.53.169
TargetID:	8
Current Path:	C:\Users\user\Desktop\conhost.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	2018
ASN name:	TENET-1ZA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Found malware configuration	AV Detection

Memdumps

Base Address

Regiontype

Protect

Malicious

2B60000

direct allocation

page execute and read and write

28E0000

direct allocation

page execute and read and write

2B50000

direct allocation

page execute and read and write

400000

unkown

page execute and read and write

14741402000

trusted library allocation

page read and write

14740C62000

heap

page read and write

3B1C27E000

stack

page read and write

5CA000

heap

page read and write

14740C67000

heap

page read and write

14740C2E000

heap

page read and write

6388A7F000

stack

page read and write

14740BB0000

trusted library allocation

page read and write

14740C13000

heap

page read and write

14740C7B000

heap

page read and write

401000

unkown

page execute read

2B30000

direct allocation

page execute and read and write

3B1BFFB000

stack

page read and write

1CFFD122000

heap

page read and write

14740C49000

heap

page read and write

48E000

unkown

page readonly

498000

unkown

page execute and read and write

14740C4F000

heap

page read and write

1F7837D0000

remote allocation

page read and write

8CE000

stack

page read and write

B0F000

stack

page read and write

1F7837D0000

remote allocation

page read and write

14740C6D000

heap

page read and write

14740A40000

heap

page read and write

2D60000

trusted library allocation

page read and write

24C0000

trusted library allocation

page read and write

1F0000

heap

page read and write

14740C4B000

heap

page read and write

22F1BA2F000

heap

page read and write

1CFFC643000

heap

page read and write

14740C46000

heap

page read and write

14740C2D000

heap

page read and write

14740C4E000

heap

page read and write

88F000

stack

page read and write

2BAA000

stack

page read and write

14740C44000

heap

page read and write

3B1C47E000

stack

page read and write

638897C000

stack

page read and write

14740C50000

heap

page read and write

3B1C2FE000

stack

page read and write

2990000

direct allocation

page execute and read and write

1CFFC690000

heap

page read and write

1CFFC643000

heap

page read and write

5C0000

heap

page read and write

22F1BA52000

heap

page read and write

14740A50000

heap

page read and write

3B1C77F000

stack

page read and write

2B40000

direct allocation

page execute and read and write

14740C40000

heap

page read and write

1CFFD122000

heap

page read and write

1F7837D0000

remote allocation

page read and write

3B1C57E000

stack

page read and write

22F1B820000

heap

page read and write

14740C3D000

heap

page read and write

22F1B810000

heap

page read and write

22F1BA3D000

heap

page read and write

22F1BA29000

heap

page read and write

14740C00000

heap

page read and write

14740C84000

heap

page read and write

24D0000

direct allocation

page execute and read and write

1CFFC65E000

heap

page read and write

22F1BA4A000

heap

page read and write

14740C45000

heap

page read and write

14740C77000

heap

page read and write

49F000

unkown

page execute and read and write

14740C7A000

heap

page read and write

5EC000

heap

page read and write

489000

unkown

page write copy

14740C56000

heap

page read and write

22F1B870000

heap

page read and write

486000

unkown

page write copy

23B3000

heap

page read and write

23E0000

heap

page read and write

3B1C67E000

stack

page read and write

400000

unkown

page readonly

19B000

stack

page read and write

14740C42000

heap

page read and write

22F1BA02000

heap

page read and write

22F1BA4E000

heap

page read and write

485000

unkown

page execute and read and write

14740AB0000

heap

page read and write

A0E000

stack

page read and write

14740C39000

heap

page read and write

638832B000

stack

page read and write

14740C6B000

heap

page read and write

22F1BA43000

heap

page read and write

550000

trusted library allocation

page read and write

14740C48000

heap

page read and write

14740C47000

heap

page read and write

23B0000

heap

page read and write

2830000

direct allocation

page execute and read and write

638877F000

stack

page read and write

14740C29000

heap

page read and write

23F0000

heap

page read and write

22F1BA13000

heap

page read and write

22B0000

direct allocation

page read and write

6388B7E000

stack

page read and write

2CAD000

stack

page read and write

59E000

stack

page read and write

1CFFD102000

heap

page read and write

14740D02000

heap

page read and write

22F1BA00000

heap

page read and write

22F1BA46000

heap

page read and write

14740C41000

heap

page read and write

14740C61000

heap

page read and write

9CF000

stack

page read and write

22F1B970000

trusted library allocation

page read and write

98000

stack

page read and write

14740C60000

heap

page read and write

14740C30000

heap

page read and write

14740C7E000

heap

page read and write

30000

heap

page read and write

22F1C202000

trusted library allocation

page read and write

638887A000

stack

page read and write

14740C6A000

heap

page read and write

22F1BB02000

heap

page read and write

2A30000

direct allocation

page read and write

14740C3A000

heap

page read and write

There are 112 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
conhost.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportconhost.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
conhost.exe