Malware Analysis Report

2024-11-15 09:09

Sample ID 200522-jwvt9cagt6
Target bid_05.20.doc
SHA256 d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c

Threat Level: Known bad

The file bid_05.20.doc was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak

Process spawned unexpected child process

Valak JavaScript Loader

Loads dropped DLL

JavaScript code in executable

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-05-22 16:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-05-22 16:50

Reported

2020-05-22 16:53

Platform

win7v200430

Max time kernel

149s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc"

C:\Windows\system32\regsvr32.exe

regsvr32 c:\programdata\36586915.dat

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.willsterns.com udp
N/A 107.180.58.72:80 www.willsterns.com tcp

Files

\??\c:\programdata\36586915.dat

MD5 27759b5877264eb385bb1d290296d066
SHA1 9bbc815b15c1affcbb7185d993803d9efc890829
SHA256 7c0e9f60f353dd3705a96a41980aaf84dead5336420902084e757ca6e3feea18
SHA512 5d9dcdce1ddde1b2cedd74b77c59b424b14f5b32ebe0440a1c24168c3b0f1320702a3cacfbf6553da0e230541acbc4aeaaca7ed87c5f97234b2b008df1812bc4

Analysis: behavioral2

Detonation Overview

Submitted

2020-05-22 16:50

Reported

2020-05-22 16:53

Platform

win10v200430

Max time kernel

139s

Max time network

137s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc" /o ""

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 c:\programdata\36586915.dat

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\36586915.dat

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\OuJnXEmSq.OZcyY

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.willsterns.com udp
N/A 107.180.58.72:80 www.willsterns.com tcp

Files

memory/1740-0-0x000001E4E5008000-0x000001E4E500B000-memory.dmp

memory/1740-1-0x000001E4E500B000-0x000001E4E5010000-memory.dmp

memory/1740-2-0x000001E4E500B000-0x000001E4E5010000-memory.dmp

memory/1740-3-0x000001E4E5008000-0x000001E4E500B000-memory.dmp

memory/1740-4-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

memory/1740-5-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

memory/1740-6-0x000001E4E5159000-0x000001E4E515E000-memory.dmp

\??\c:\programdata\36586915.dat

MD5 3acef680d63f6749c2aa4f70290b9711
SHA1 03e5346225fdd08cb44326cf502e8f9854301622
SHA256 d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631
SHA512 c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c

\ProgramData\36586915.dat

MD5 3acef680d63f6749c2aa4f70290b9711
SHA1 03e5346225fdd08cb44326cf502e8f9854301622
SHA256 d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631
SHA512 c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c

C:\Users\Public\OuJnXEmSq.OZcyY

MD5 068586bbe8e155cad3938dc19d742a37
SHA1 b42234fa85c7bdde8d1e6e2c349e95a02c90bfe7
SHA256 c9bebbf66481080359a2e4e1de51f5c2ef6973e8f8588d5323e8e4be9ae66647
SHA512 f670b281e51403eb3f39027059100f476b95a9310af93b86976e974d3d69f031cd392483281a83d32b8f2b27f597161359e249bd9542af692fe3ef1e5f7b5464