Resubmissions

22-05-2020 16:50

200522-jwvt9cagt6 10

22-05-2020 16:43

200522-gl21s88ymx 10

Analysis

  • max time kernel
    139s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    22-05-2020 16:50

General

  • Target

    bid_05.20.doc

  • Size

    93KB

  • MD5

    c20c9b35bb637f123e13d76b9856be94

  • SHA1

    b5d2640247e6ef9424741cf2cfd47f9b837f252a

  • SHA256

    d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c

  • SHA512

    03365c04e0e09d02fe6cd6fa41e68eab9c50878f29f8b2f74c93773abc207d765069183476d33d800141f8e4398558a57f639cfd0d2674465e09ae80121856fe

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 c:\programdata\36586915.dat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\programdata\36586915.dat
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe //E:jscript "C:\Users\Public\OuJnXEmSq.OZcyY
          4⤵
            PID:1936
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3720

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\OuJnXEmSq.OZcyY

        MD5

        068586bbe8e155cad3938dc19d742a37

        SHA1

        b42234fa85c7bdde8d1e6e2c349e95a02c90bfe7

        SHA256

        c9bebbf66481080359a2e4e1de51f5c2ef6973e8f8588d5323e8e4be9ae66647

        SHA512

        f670b281e51403eb3f39027059100f476b95a9310af93b86976e974d3d69f031cd392483281a83d32b8f2b27f597161359e249bd9542af692fe3ef1e5f7b5464

      • \??\c:\programdata\36586915.dat

        MD5

        3acef680d63f6749c2aa4f70290b9711

        SHA1

        03e5346225fdd08cb44326cf502e8f9854301622

        SHA256

        d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631

        SHA512

        c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c

      • \ProgramData\36586915.dat

        MD5

        3acef680d63f6749c2aa4f70290b9711

        SHA1

        03e5346225fdd08cb44326cf502e8f9854301622

        SHA256

        d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631

        SHA512

        c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c

      • memory/1740-0-0x000001E4E5008000-0x000001E4E500B000-memory.dmp

        Filesize

        12KB

      • memory/1740-1-0x000001E4E500B000-0x000001E4E5010000-memory.dmp

        Filesize

        20KB

      • memory/1740-2-0x000001E4E500B000-0x000001E4E5010000-memory.dmp

        Filesize

        20KB

      • memory/1740-3-0x000001E4E5008000-0x000001E4E500B000-memory.dmp

        Filesize

        12KB

      • memory/1740-4-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

        Filesize

        20KB

      • memory/1740-5-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

        Filesize

        20KB

      • memory/1740-6-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

        Filesize

        20KB