Analysis
-
max time kernel
66s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-06-2020 22:53
Static task
static1
Behavioral task
behavioral1
Sample
file.exe.dll
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
file.exe.dll
-
Size
289KB
-
MD5
cb82bf060afe5a4e862cbe246e69ab7d
-
SHA1
68c4bd00bacebbf08e3d5e7af2e7f4e4379366de
-
SHA256
b9bea7b9328edd5b391c66e634ab42bb5d9a05c76d76fbebac8e81f36c3b333b
-
SHA512
a9a8c9bc08a10533ffee3e6ff39c750d2222dc4ca3b619c2c96bf24ef6b218a1918e3166847d8f53132f26fb2ad5f061549fff99c08c01b823c6625e200fd66c
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3692 wrote to memory of 3128 3692 rundll32.exe rundll32.exe PID 3692 wrote to memory of 3128 3692 rundll32.exe rundll32.exe PID 3692 wrote to memory of 3128 3692 rundll32.exe rundll32.exe PID 3128 wrote to memory of 2388 3128 rundll32.exe wscript.exe PID 3128 wrote to memory of 2388 3128 rundll32.exe wscript.exe PID 3128 wrote to memory of 2388 3128 rundll32.exe wscript.exe -
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.exe.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:2388
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4092