Windows Analysis Report
rhc.exe

Overview

General Information

Sample name:	rhc.exe
Analysis ID:	1428807
MD5:	abc6379205de2618851c4fcbf72112eb
SHA1:	1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256:	22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

PE file has a writeable .text section

Creates a process in suspended mode (likely to inject code)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: rhc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

System Summary

PE file has a writeable .text section

Source: rhc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Uses 32bit PE files

Source: rhc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: rhc.exe

Static PE information: Section .text

Source: classification engine

Classification label: clean22.winEXE@6/0@0/0

Source: rhc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rhc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Users\user\Desktop\rhc.exe "C:\Users\user\Desktop\rhc.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php	Jump to behavior

Source: C:\Users\user\Desktop\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1428807
Product:	CloudBasic
Start time:	16:36:36
Start date:	19.04.2024
Sample:	rhc.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	abc6379205de2618851c4fcbf72112eb
SHA1:	1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256:	22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
rhc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report rhc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
rhc.exe