Edit tour

Windows Analysis Report
rhc.exe

Overview

General Information

Sample name:	rhc.exe
Analysis ID:	1428807
MD5:	abc6379205de2618851c4fcbf72112eb
SHA1:	1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256:	22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

PE file has a writeable .text section

Creates a process in suspended mode (likely to inject code)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

rhc.exe (PID: 2528 cmdline: "C:\Users\user\Desktop\rhc.exe" MD5: ABC6379205DE2618851C4FCBF72112EB)

rundll32.exe (PID: 7112 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 6272 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rhc.exe (PID: 3408 cmdline: rhc.exe php.exe include.php MD5: ABC6379205DE2618851C4FCBF72112EB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: rhc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

System Summary

PE file has a writeable .text section

Source: rhc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: rhc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: rhc.exe

Static PE information: Section .text

Source: classification engine

Classification label: clean22.winEXE@6/0@0/0

Source: rhc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rhc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Users\user\Desktop\rhc.exe "C:\Users\user\Desktop\rhc.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php	Jump to behavior

Source: C:\Users\user\Desktop\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Users\user\Desktop\rhc.exe rhc.exe php.exe include.php

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	2 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rhc.exe	5%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428807
Start date and time:	2024-04-19 16:36:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rhc.exe
Detection:	CLEAN
Classification:	clean22.winEXE@6/0@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): arc-ring.msedge.net, fs.microsoft.com, mcr-ring.msedge.net, l-ring.msedge.net, slscr.update.microsoft.com, login.live.com, static-ecst.licdn.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rhc.exe, PID 2528 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: rhc.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.3050049770072105
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rhc.exe
File size:	1'536 bytes
MD5:	abc6379205de2618851c4fcbf72112eb
SHA1:	1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256:	22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512:	180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
SSDEEP:	24:eFGSPZMexrSoVjAL5jhsUnqzQhVJx+y/F/mnSBgZpwA:iJr7jALHqzPgESBg
TLSH:	7A31544BEBC81A73E9280530274A580261EA551406628A016A8C50EF7D24BABA8BCBD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&..IG..IG..IG...d..LG..IG..NG...c..HG...c..HG..RichIG..................PE..L....$.B..................................... ....@

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401100
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x42C12411 [Tue Jun 28 10:18:57 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0b9ca80ff295945b3cf5762a07ef3d50

Entrypoint Preview

Instruction
sub esp, 54h
push ebx
push ebp
push esi
xor ebp, ebp
xor esi, esi
mov bl, 20h
call dword ptr [00401014h]
mov edx, eax
cmp byte ptr [edx], 00000022h
jne 00007EFF418B5E39h
mov bl, 22h
jmp 00007EFF418B5E35h
lea ecx, dword ptr [ecx+00h]
mov al, byte ptr [edx+01h]
inc edx
cmp al, bl
je 00007EFF418B5E38h
test al, al
jne 00007EFF418B5E26h
jmp 00007EFF418B5E4Bh
cmp byte ptr [edx], 00000000h
je 00007EFF418B5E46h
mov al, byte ptr [edx+01h]
inc edx
test al, al
je 00007EFF418B5E3Eh
cmp al, 20h
je 00007EFF418B5E26h
cmp al, 09h
je 00007EFF418B5E22h
test al, al
jne 00007EFF418B5E4Bh
push ebp
push 004010E8h
push 00401028h
push ebp
call dword ptr [0040101Ch]
push ebp
call dword ptr [00401010h]
cmp al, 2Fh
jne 00007EFF418B5E49h
mov al, byte ptr [edx+01h]
or al, 20h
cmp al, 77h
jne 00007EFF418B5E40h
cmp byte ptr [edx+02h], 00000020h
jne 00007EFF418B5E3Ah
mov esi, 00000001h
add edx, 03h
mov al, byte ptr [edx]
test al, al
je 00007EFF418B5E42h
cmp al, 20h
je 00007EFF418B5E36h
cmp al, 09h
jne 00007EFF418B5E3Ah
mov al, byte ptr [edx+01h]
inc edx
test al, al
jne 00007EFF418B5E22h
push edi
xor eax, eax
mov ecx, 00000011h
lea edi, dword ptr [esp+20h]
rep stosd
lea ecx, dword ptr [esp+10h]
push ecx
lea eax, dword ptr [esp+24h]
push eax
push ebp
push ebp
push 00000010h
push ebp
push ebp
push ebp
push edx
push ebp
mov dword ptr [esp+48h], 00000044h
mov dword ptr [esp+74h], 00000001h
mov word ptr [esp+78h], bp

Rich Headers

Programming Language:

[C++] VS2002 (.NET) build 9466
[LNK] VS2002 (.NET) build 9466

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1210	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x24	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2fe	0x400	1c61defec48fa1f4f80348e35119c7c0	False	0.5576171875	data	4.742151518817217	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	GetLastError, CloseHandle, WaitForSingleObject, CreateProcessA, ExitProcess, GetCommandLineA
USER32.dll	MessageBoxA

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 16:38:09.244014978 CEST	53	56890	1.1.1.1	192.168.2.16

Target ID:	0
Start time:	16:37:07
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\rhc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rhc.exe"
Imagebase:	0x400000
File size:	1'536 bytes
MD5 hash:	ABC6379205DE2618851C4FCBF72112EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:37:49
Start date:	19/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff61fe20000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:38:05
Start date:	19/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe"
Imagebase:	0x7ff6fd780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	16:38:05
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	16:39:08
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\rhc.exe
Wow64 process (32bit):	true
Commandline:	rhc.exe php.exe include.php
Imagebase:	0x400000
File size:	1'536 bytes
MD5 hash:	ABC6379205DE2618851C4FCBF72112EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00401163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 004011C7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004011DD
CloseHandle.KERNEL32(?), ref: 004011EE
CloseHandle.KERNEL32(?), ref: 004011F5
ExitProcess.KERNEL32 ref: 00401202

Strings

D, xrefs: 004011B2

Memory Dump Source

Source File: 00000000.00000002.1518392228.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_rhc.jbxd

Similarity

API ID: CloseHandleProcess$CreateExitObjectSingleWait
String ID: D
API String ID: 866796290-2746444292
Opcode ID: e2ea7b2bdf69c12cb2251610cb74903efcc42414d6a77362ea7aa540117340d9
Instruction ID: 3bca2011f90d1f806824949501a8baa480d0a65f873ae38137b24912edfdce2c
Opcode Fuzzy Hash: e2ea7b2bdf69c12cb2251610cb74903efcc42414d6a77362ea7aa540117340d9
Instruction Fuzzy Hash: 78110D314083486FDB258F54CC40BA7BBEDAB89314F044A6EF6D4773A1C379A8868719

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rhc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: rhc.exePID: 2528, Parent PID: 4380

General

Chronological Activities

Analysis Process: rundll32.exePID: 7112, Parent PID: 804

General

Chronological Activities

Analysis Process: cmd.exePID: 6272, Parent PID: 4380

General

Chronological Activities

Analysis Process: conhost.exePID: 3528, Parent PID: 6272

General

Chronological Activities

Windows Analysis Report
rhc.exe