Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rhc.exe

"C:\Users\user\Desktop\rhc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2528
Target ID:	0
Parent PID:	4380
Name:	rhc.exe
Path:	C:\Users\user\Desktop\rhc.exe
Commandline:	"C:\Users\user\Desktop\rhc.exe"
Size:	1536
MD5:	ABC6379205DE2618851C4FCBF72112EB
Time:	16:37:07
Date:	19/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8192
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file has a writeable .text section	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses 32bit PE files	Compliance, System Summary
PE file contains only one section	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\rhc.exe

rhc.exe php.exe include.php

Details

Is windows:	false
Is dropped:	false
PID:	3408
Target ID:	20
Parent PID:	6272
Name:	rhc.exe
Path:	C:\Users\user\Desktop\rhc.exe
Commandline:	rhc.exe php.exe include.php
Size:	1536
MD5:	ABC6379205DE2618851C4FCBF72112EB
Time:	16:39:08
Date:	19/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8192
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file has a writeable .text section	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses 32bit PE files	Compliance, System Summary
PE file contains only one section	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7112
Target ID:	12
Parent PID:	804
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	16:37:49
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff61fe20000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6272
Target ID:	16
Parent PID:	4380
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	16:38:05
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6fd780000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3528
Target ID:	17
Parent PID:	6272
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:38:05
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6684c0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

641000

heap

page read and write

610000

heap

page read and write

648000

heap

page read and write

3B10000

heap

page read and write

1F0000

heap

page read and write

19C000

stack

page read and write

22EF000

stack

page read and write

646000

heap

page read and write

242F000

stack

page read and write

63D000

heap

page read and write

242B775E000

heap

page read and write

63B000

heap

page read and write

62E000

heap

page read and write

52E000

stack

page read and write

26C0000

heap

page read and write

242B7700000

heap

page read and write

4E0000

heap

page read and write

65F317E000

stack

page read and write

4E0000

heap

page read and write

653000

heap

page read and write

3EE0000

trusted library allocation

page read and write

248E000

stack

page read and write

63E000

heap

page read and write

2719000

heap

page read and write

870000

heap

page read and write

654000

heap

page read and write

258F000

stack

page read and write

61E000

heap

page read and write

636000

heap

page read and write

4F5000

heap

page read and write

72F000

stack

page read and write

242B7600000

heap

page read and write

633000

heap

page read and write

401000

unkown

page execute and write copy

4F0000

heap

page read and write

53E000

stack

page read and write

9BF000

stack

page read and write

242B7985000

heap

page read and write

61A000

heap

page read and write

64C000

heap

page read and write

242B76E0000

heap

page read and write

2710000

heap

page read and write

638000

heap

page read and write

242B92D0000

heap

page read and write

57E000

stack

page read and write

63E000

heap

page read and write

5BE000

stack

page read and write

80F000

stack

page read and write

64E000

heap

page read and write

3B14000

heap

page read and write

242B7980000

heap

page read and write

658000

heap

page read and write

8BE000

stack

page read and write

90F000

stack

page read and write

76E000

stack

page read and write

654000

heap

page read and write

2430000

heap

page read and write

401000

unkown

page execute and read and write

2715000

heap

page read and write

9C000

stack

page read and write

637000

heap

page read and write

400000

unkown

page readonly

65F30FE000

stack

page read and write

63A000

heap

page read and write

63A000

heap

page read and write

65F307C000

stack

page read and write

242B7750000

heap

page read and write

530000

heap

page read and write

631000

heap

page read and write

637000

heap

page read and write

62A000

heap

page read and write

232E000

stack

page read and write

63D000

heap

page read and write

63D000

heap

page read and write

26B0000

heap

page read and write

9A000

stack

page read and write

86F000

stack

page read and write

636000

heap

page read and write

641000

heap

page read and write

65F31FE000

stack

page read and write

A0E000

stack

page read and write

19D000

stack

page read and write

63E000

heap

page read and write

1F0000

heap

page read and write

632000

heap

page read and write

21EE000

stack

page read and write

242B7758000

heap

page read and write

637000

heap

page read and write

656000

heap

page read and write

538000

heap

page read and write

There are 80 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rhc.exe

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportrhc.exe

Processes

Memdumps

IOC Report
rhc.exe