Windows
Analysis Report
rhc.exe
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | true |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
- rhc.exe (PID: 2528 cmdline:
"C:\Users\ user\Deskt op\rhc.exe " MD5: ABC6379205DE2618851C4FCBF72112EB)
- rundll32.exe (PID: 7112 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
- cmd.exe (PID: 6272 cmdline:
"C:\Window s\system32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rhc.exe (PID: 3408 cmdline:
rhc.exe ph p.exe incl ude.php MD5: ABC6379205DE2618851C4FCBF72112EB)
- cleanup
Click to jump to signature section
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | File Volume queried: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 2 File and Directory Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428807 |
Start date and time: | 2024-04-19 16:36:36 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 44s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | rhc.exe |
Detection: | CLEAN |
Classification: | clean22.winEXE@6/0@0/0 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): arc-ring.msedge.net, fs.microsoft.com, mcr-ring.msedge.net, l-ring.msedge.net, slscr.update.microsoft.com, login.live.com, static-ecst.licdn.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rhc.exe, PID 2528 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: rhc.exe
File type: | |
Entropy (8bit): | 4.3050049770072105 |
TrID: |
|
File name: | rhc.exe |
File size: | 1'536 bytes |
MD5: | abc6379205de2618851c4fcbf72112eb |
SHA1: | 1ed7b1e965eab56f55efda975f9f7ade95337267 |
SHA256: | 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f |
SHA512: | 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1 |
SSDEEP: | 24:eFGSPZMexrSoVjAL5jhsUnqzQhVJx+y/F/mnSBgZpwA:iJr7jALHqzPgESBg |
TLSH: | 7A31544BEBC81A73E9280530274A580261EA551406628A016A8C50EF7D24BABA8BCBD1 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&..IG..IG..IG...d..LG..IG..NG...c..HG...c..HG..RichIG..................PE..L....$.B..................................... ....@ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x401100 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x42C12411 [Tue Jun 28 10:18:57 2005 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 0b9ca80ff295945b3cf5762a07ef3d50 |
Instruction |
---|
sub esp, 54h |
push ebx |
push ebp |
push esi |
xor ebp, ebp |
xor esi, esi |
mov bl, 20h |
call dword ptr [00401014h] |
mov edx, eax |
cmp byte ptr [edx], 00000022h |
jne 00007EFF418B5E39h |
mov bl, 22h |
jmp 00007EFF418B5E35h |
lea ecx, dword ptr [ecx+00h] |
mov al, byte ptr [edx+01h] |
inc edx |
cmp al, bl |
je 00007EFF418B5E38h |
test al, al |
jne 00007EFF418B5E26h |
jmp 00007EFF418B5E4Bh |
cmp byte ptr [edx], 00000000h |
je 00007EFF418B5E46h |
mov al, byte ptr [edx+01h] |
inc edx |
test al, al |
je 00007EFF418B5E3Eh |
cmp al, 20h |
je 00007EFF418B5E26h |
cmp al, 09h |
je 00007EFF418B5E22h |
test al, al |
jne 00007EFF418B5E4Bh |
push ebp |
push 004010E8h |
push 00401028h |
push ebp |
call dword ptr [0040101Ch] |
push ebp |
call dword ptr [00401010h] |
cmp al, 2Fh |
jne 00007EFF418B5E49h |
mov al, byte ptr [edx+01h] |
or al, 20h |
cmp al, 77h |
jne 00007EFF418B5E40h |
cmp byte ptr [edx+02h], 00000020h |
jne 00007EFF418B5E3Ah |
mov esi, 00000001h |
add edx, 03h |
mov al, byte ptr [edx] |
test al, al |
je 00007EFF418B5E42h |
cmp al, 20h |
je 00007EFF418B5E36h |
cmp al, 09h |
jne 00007EFF418B5E3Ah |
mov al, byte ptr [edx+01h] |
inc edx |
test al, al |
jne 00007EFF418B5E22h |
push edi |
xor eax, eax |
mov ecx, 00000011h |
lea edi, dword ptr [esp+20h] |
rep stosd |
lea ecx, dword ptr [esp+10h] |
push ecx |
lea eax, dword ptr [esp+24h] |
push eax |
push ebp |
push ebp |
push 00000010h |
push ebp |
push ebp |
push ebp |
push edx |
push ebp |
mov dword ptr [esp+48h], 00000044h |
mov dword ptr [esp+74h], 00000001h |
mov word ptr [esp+78h], bp |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1210 | 0x3c | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x24 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2fe | 0x400 | 1c61defec48fa1f4f80348e35119c7c0 | False | 0.5576171875 | data | 4.742151518817217 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.dll | GetLastError, CloseHandle, WaitForSingleObject, CreateProcessA, ExitProcess, GetCommandLineA |
USER32.dll | MessageBoxA |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 19, 2024 16:38:09.244014978 CEST | 53 | 56890 | 1.1.1.1 | 192.168.2.16 |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 16:37:07 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\rhc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'536 bytes |
MD5 hash: | ABC6379205DE2618851C4FCBF72112EB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 12 |
Start time: | 16:37:49 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61fe20000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 16 |
Start time: | 16:38:05 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6fd780000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 17 |
Start time: | 16:38:05 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6684c0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 20 |
Start time: | 16:39:08 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\rhc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'536 bytes |
MD5 hash: | ABC6379205DE2618851C4FCBF72112EB |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Function 00401163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60processsynchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |