Edit tour

Windows Analysis Report
MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Overview

General Information

Sample name:	MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip
Analysis ID:	1428806
MD5:	d643c338c5433325d7eb951dcdbdd49e
SHA1:	ff9b656a93c29be4d27c5c7a84fbad6745bd645e
SHA256:	01dab660885e34c8ff340193ddbe08aedacf75e4636e2a794e32c860ca47a2c7
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

PE file has a writeable .text section

Drops PE files

Queries the volume information (name, serial number etc) of a device

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6420 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

rhc.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe" MD5: ABC6379205DE2618851C4FCBF72112EB)

cmd.exe (PID: 448 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7zG.exe (PID: 3264 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap13122:172:7zEvent2168 MD5: 50F289DF0C19484E970849AAC4E6F977)

rhc.exe (PID: 6816 cmdline: "C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe" MD5: ABC6379205DE2618851C4FCBF72112EB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

System Summary

PE file has a writeable .text section

Source: rhc.exe.20.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: rhc.exe.20.dr

Static PE information: Section .text

Source: classification engine

Classification label: sus21.winZIP@6/1@0/0

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\rhc.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap13122:172:7zEvent2168
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\rhc.exe

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File Volume queried: C:\Users\user FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	2 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\rhc.exe	5%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428806
Start date and time:	2024-04-19 16:33:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip
Detection:	SUS
Classification:	sus21.winZIP@6/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded domains from analysis (whitelisted): fp.msedge.net, www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, b-ring.msedge.net, t-ring.msedge.net, fe3cr.delivery.mp.microsoft.com, c-ring.msedge.net, login.live.com, r.bing.com, evoke-windowsservices-tas.msedge.net, browser.pipe.aria.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\rhc.exe	https://xvideocallgirl.top/fullclip/?fbclid=IwAR0XXaMl8JkF9Vu7G_kLWBmwu9V39Q_f-Hr-2hYk3ee4AVoPInF4pmx9flA	Get hash	malicious	Unknown	Browse
	X270IE48_2023-10-16_14_24_38.742.zip	Get hash	malicious	Unknown	Browse
	data1.exe	Get hash	malicious	Unknown	Browse
	NewCPhong.exe	Get hash	malicious	Unknown	Browse
	hu_HU.zip	Get hash	malicious	Unknown	Browse
	yspx-v3.2.25-setup.exe	Get hash	malicious	BazaLoader	Browse
	ContentCloud.zip	Get hash	malicious	Unknown	Browse
	Album_One_Night_Stand_Jing_Len.zip	Get hash	malicious	Unknown	Browse
	AVATAR2_THE_WAY_OF_WATER_FULL_HIGH_DEFINITION_WITH_SUBTITLES.exe	Get hash	malicious	Unknown	Browse
	AVATAR2_THE_WAY_OF_WATER_FULL_HIGH_DEFINITION_WITH_SUBTITLES.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\Desktop\rhc.exe

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	4.3050049770072105
Encrypted:	false
SSDEEP:	24:eFGSPZMexrSoVjAL5jhsUnqzQhVJx+y/F/mnSBgZpwA:iJr7jALHqzPgESBg
MD5:	ABC6379205DE2618851C4FCBF72112EB
SHA1:	1ED7B1E965EAB56F55EFDA975F9F7ADE95337267
SHA-256:	22E7528E56DFFAA26CFE722994655686C90824B13EB51184ABFE44D4E95D473F
SHA-512:	180C7F400DD13092B470E3A91BF02E98EF6247C1193BF349E3710E8D1E9003F3BC9B792BB776EACB746E9C67B3041F2333CC07F28C5F046D59274742230FB7C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: X270IE48_2023-10-16_14_24_38.742.zip, Detection: malicious, Browse Filename: data1.exe, Detection: malicious, Browse Filename: NewCPhong.exe, Detection: malicious, Browse Filename: hu_HU.zip, Detection: malicious, Browse Filename: yspx-v3.2.25-setup.exe, Detection: malicious, Browse Filename: ContentCloud.zip, Detection: malicious, Browse Filename: Album_One_Night_Stand_Jing_Len.zip, Detection: malicious, Browse Filename: AVATAR2_THE_WAY_OF_WATER_FULL_HIGH_DEFINITION_WITH_SUBTITLES.exe, Detection: malicious, Browse Filename: AVATAR2_THE_WAY_OF_WATER_FULL_HIGH_DEFINITION_WITH_SUBTITLES.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&..IG..IG..IG...d..LG..IG..NG...c..HG...c..HG..RichIG..................PE..L....$.B..................................... ....@.......................... ..................................................<.......................................................................................$............................text............................... ...........................p.......................................About:..hidec hides console window of started program & waits (opt.) for its termination..Usage:...hidec [/w] <filename>..Where:../w.wait for program termination.filename.executable file name.Error: Incorrect usage....TSUV3.3.. ....@...:"u.."...I..B.B:.t...u....:.t..B.B..t.< t.<.t...u.Uh..@.h(.@.U....@.U....@.</u..B.. <wu..z. u.............t.< t.<.u..B.B..u.W3.......\|$ .L$.Q.D$$PUUj.UUURU.D$HD....D$t....f.l$x....@..._t';.t..L$.j.Q....@..T$..

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.5388134749031614
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip
File size:	953 bytes
MD5:	d643c338c5433325d7eb951dcdbdd49e
SHA1:	ff9b656a93c29be4d27c5c7a84fbad6745bd645e
SHA256:	01dab660885e34c8ff340193ddbe08aedacf75e4636e2a794e32c860ca47a2c7
SHA512:	2cd723b854328037e52c25874a5de9eb295746a1228aac90558f79eacffe890ca9652cb2b64459eb93df5224e21c5c3ae79e8341fa0772f036ed1c8812d66e1d
SSDEEP:	24:9E3KkdvWZkFgxlqLc4UkEgjVDLB87Dv+yVb5lcePh3K3N:9uQjrqLcO1DFMDv+2b5+eP0N
TLSH:	3111BB584DEF830DE214C8FFAD55AD18C6F4F5D0F225BC0B19D6A1506C061E1194D2AD
File Content Preview:	PK.........r.X..............$.rhc.exe.. .........U...e...T...e...I...e.....HYw.......e...).q. ,...3Zo"..@...f....S..1.8!...L..H.~".*x.....LoI......242.X#E.&....E...U..=;...}.!p=U.b..wfH..1m_.S.m...aZ..^'.=6j.v.W.q...spn.Dxf9AKT......./8y.X"9.$...l...6k..9

File Icon


Icon Hash:	1c1c1e4e4ececedc

Target ID:	0
Start time:	16:33:57
Start date:	19/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6d6260000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:34:12
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"
Imagebase:	0x400000
File size:	1'536 bytes
MD5 hash:	ABC6379205DE2618851C4FCBF72112EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	16:34:22
Start date:	19/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe"
Imagebase:	0x7ff7dd030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	16:34:22
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	16:35:11
Start date:	19/04/2024
Path:	C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap13122:172:7zEvent2168
Imagebase:	0x480000
File size:	700'416 bytes
MD5 hash:	50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:35:28
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"
Imagebase:	0x400000
File size:	1'536 bytes
MD5 hash:	ABC6379205DE2618851C4FCBF72112EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Spreading

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\rhc.exe

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: rundll32.exePID: 6420, Parent PID: 804

General

Chronological Activities

Analysis Process: rhc.exePID: 6968, Parent PID: 4552

General

Chronological Activities

Analysis Process: cmd.exePID: 448, Parent PID: 4552

General

Chronological Activities

Analysis Process: conhost.exePID: 7036, Parent PID: 448

General

Chronological Activities

Analysis Process: 7zG.exePID: 3264, Parent PID: 4552

General

Chronological Activities

Analysis Process: rhc.exePID: 6816, Parent PID: 4552

General

Chronological Activities

Windows Analysis Report
MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip