Edit tour
Windows
Analysis Report
7nJ9Jo78Vq.dll
Overview
General Information
Sample name: | 7nJ9Jo78Vq.dllrenamed because original name is a hash value |
Original sample name: | 14df3534ab6da8746147332478ce61f530e6499f071c25aa1ed03bdb69910960.dll |
Analysis ID: | 1577415 |
MD5: | a9a78cfcb6a1523212cb41b06552b736 |
SHA1: | 8560713395ef2f92c08b1519a91b43502502988d |
SHA256: | 14df3534ab6da8746147332478ce61f530e6499f071c25aa1ed03bdb69910960 |
Tags: | 107-148-62-100dlluser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- loaddll32.exe (PID: 1048 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\7nJ 9Jo78Vq.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 5628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5436 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\7nJ 9Jo78Vq.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 6564 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\7nJ9 Jo78Vq.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1268 cmdline:
rundll32.e xe C:\User s\user\Des ktop\7nJ9J o78Vq.dll, ExportFunc tion MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7092 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\7nJ9 Jo78Vq.dll ",ExportFu nction MD5: 889B99C52A60DD49227C5E485A016679) - 7NPuGneP.exe (PID: 984 cmdline:
"C:\Users\ user\AppDa ta\Roaming \MyAppData Dir\7NPuGn eP.exe" MD5: 54A911B3E8161444EA6677C23AA38D17)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
|
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-18T13:18:22.797643+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.5 | 49812 | 107.148.62.100 | 8084 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |