ScreenShot
| Created | 2021.09.14 15:56 | Machine | s1_win7_x6401 |
| Filename | conhost.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (Miner, Malicious, score, anow, GenericKD, avkgp, Sabsik, ai score=86, Unsafe, Edei, Static AI, Malicious PE, susgen, Behavior) | ||
| md5 | 86ec1c19a29d25b109102faa921c7796 | ||
| sha256 | a390e37424852274a627183769d43e7015e88fbb02e54d1b2b8367abdc18ec7e | ||
| ssdeep | 3072:6S5MV1iKq6X2yFaw98p+jcgkLXYlfr/gmSEYLVi:6SnYFaw98p+AjLYtgmSxM | ||
| imphash | cdad5729221a176f1d762a129c60a509 | ||
| impfuzzy | 3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRcMGARLMabL:dBJAEoZ/OEGDzyR9B46L | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Drops a binary and executes it |
| notice | A process attempted to delay the analysis task. |
| notice | An executable file was downloaded by the process conhost.exe |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET POLICY Cryptocurrency Miner Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x140055218 LoadLibraryA
0x140055220 ExitProcess
0x140055228 GetProcAddress
0x140055230 VirtualProtect
WININET.dll
0x140055240 InternetOpenW
EAT(Export Address Table) is none
KERNEL32.DLL
0x140055218 LoadLibraryA
0x140055220 ExitProcess
0x140055228 GetProcAddress
0x140055230 VirtualProtect
WININET.dll
0x140055240 InternetOpenW
EAT(Export Address Table) is none