Analysis Report Vjvj9F0fTc
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
2% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 330003 |
Start date: | 14.12.2020 |
Start time: | 08:15:26 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 1m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Vjvj9F0fTc (renamed file extension from none to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean1.winDLL@1/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:16:20 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.582826996737924 |
TrID: |
|
File name: | Vjvj9F0fTc.dll |
File size: | 1011032 |
MD5: | b91ce2fa41029f6955bff20079468448 |
SHA1: | 76640508b1e7759e548771a5359eaed353bf1eec |
SHA256: | 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 |
SHA512: | 6a81f082f36ccbda48070772c5a97e1d7de61ad77465e7befe8cbd97df40dcc5da09c461311708e3d57527e323484b05cfd3e72a3c70e106e47f44cc77584bd7 |
SSDEEP: | 12288:Zx7m/z9aEBzvnvLtYAi6uLlYQ69BBpIvF1tjpH7BKi+0A8vca9owQ:6aEBTvRBi6uL6dIvDtjpH9+0A8vca9oD |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.y^.........." ..0..H...........a... ........... ..............................bz....`................................ |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x100f61a6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Time Stamp: | 0x5E79CA52 [Tue Mar 24 08:52:34 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | dae02f32a21e03ce65412f6e56942daa |
Authenticode Signature |
---|
Signature Valid: | true |
Signature Issuer: | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 08E35543D6110ED11FDF558BB093D401 |
Thumbprint SHA-1: | 47D92D49E6F7F296260DA1AF355F941EB25360C4 |
Thumbprint SHA-256: | 53F8DFC65169CCDA021B72A62E0C22A4DB7C4077F002FA742717D41B3C40F2C7 |
Serial: | 0FE973752022A606ADF2A36E345DC0ED |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [10002000h] |
xor dl, byte ptr [eax] |
xchg al, ch |
pop ebx |
fisubr word ptr [ecx+2Ch] |
mov dl, 3Dh |
retn 95BCh |
push FFFFFFC9h |
cld |
xor dword ptr [ebp-63h], ecx |
pop ebx |
xor ebp, dword ptr [ebp+08h] |
jno 00007F3998813906h |
fcomp3 st(2) |
rol dword ptr [ebp+6EBD073Bh], 51h |
or ecx, dword ptr [ebp-4F69303Ah] |
add byte ptr [esi-2Ch], ah |
jnc 00007F399881399Ch |
xchg eax, edx |
ficom word ptr [ecx+7Eh] |
add byte ptr [ecx+edi-26D72F48h], 00000044h |
mov cl, 41h |
push cs |
ret |
xlatb |
mov ch, byte ptr [ecx+ebp] |
lea edi, ebp |
mov cl, byte ptr [ebp+2Ch] |
and eax, 2770CE61h |
mov dh, ACh |
inc edi |
fstp tbyte ptr [ebp-7E8F69D3h] |
stc |
jmp 00007F399881393Ah |
rcl byte ptr [ecx], 0000001Fh |
iretd |
sub ebp, esp |
int3 |
sal dword ptr [esi], 1 |
xchg eax, edx |
cdq |
xor ah, byte ptr [edi+ecx-24h] |
cwde |
sbb ebp, eax |
mov bl, al |
loop 00007F3998813915h |
mov dl, BDh |
dec esp |
int1 |
call 00007F3A0CF58999h |
jmp 00007F39234E28F1h |
scasd |
xor al, ECh |
jnl 00007F3998813910h |
mov cs, dx |
cmp bl, byte ptr [esi] |
jns 00007F39988138DCh |
test eax, 47A375F1h |
not dword ptr [edx+edi*8-7F505A3Dh] |
xor al, ACh |
cdq |
cmpsb |
call ebp |
push edi |
stosb |
inc esi |
out dx, al |
aaa |
int A5h |
jnle 00007F3998813984h |
and esp, eax |
loope 00007F39988139ACh |
in eax, dx |
pop esi |
add dword ptr [ecx+34h], 3F473970h |
add eax, 3A0B0FF3h |
jnbe 00007F3998813994h |
xchg eax, esi |
and al, FFh |
arpl word ptr [edx], dx |
or byte ptr [edx+0060F23Fh], cl |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf6154 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf8000 | 0x520 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xf5200 | 0x1b58 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xfa000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xf601c | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xf477c | 0xf4800 | False | 0.336901081608 | data | 5.56921920539 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xf8000 | 0x520 | 0x600 | False | 0.305338541667 | data | 3.01571277024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xfa000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xf8058 | 0x4c2 | data |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorDllMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved. |
Assembly Version | 2019.4.5200.9083 |
InternalName | SolarWinds.Orion.Core.BusinessLayer.dll |
FileVersion | 2019.4.5200.9083 |
CompanyName | SolarWinds Worldwide, LLC. |
LegalTrademarks | |
Comments | |
ProductName | SolarWinds.Orion.Core.BusinessLayer |
ProductVersion | 2019.4.5200.9083 |
FileDescription | SolarWinds.Orion.Core.BusinessLayer |
OriginalFilename | SolarWinds.Orion.Core.BusinessLayer.dll |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:16:20 |
Start date: | 14/12/2020 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 120832 bytes |
MD5 hash: | 2D39D4DFDE8F7151723794029AB8A034 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|