Resubmissions

09-06-2020 22:21

200609-59aaj585qn 10

Analysis

  • max time kernel
    150s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-06-2020 22:21

General

  • Target

    bid 06.09.2020.doc

  • Size

    117KB

  • MD5

    604ffddf9b128893501e078cf20614b4

  • SHA1

    00ab48b309631ea1420542e84792619fef594b0f

  • SHA256

    ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997

  • SHA512

    f5437529f735bbbbdc36891d49375eaaa2fe03b48b802dbc6826ede3e55ea337e7a61dc09249fb92c5da32717b58fc242ee80433bc473e8ddd49ad65c00512fb

Score
10/10

Malware Config

Signatures

  • Valak JavaScript Loader 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 16 IoCs
  • Loads dropped DLL 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\system32\regsvr32.exe
      regsvr32 c:\programdata\76497199.dat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\programdata\76497199.dat
        3⤵
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:1148
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
          4⤵
            PID:1592
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2016

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\CCGYPWTwr.iySAE

      • \??\c:\programdata\76497199.dat

      • \ProgramData\76497199.dat

      • memory/868-6-0x0000000005480000-0x0000000005484000-memory.dmp

        Filesize

        16KB

      • memory/868-7-0x0000000005620000-0x0000000005624000-memory.dmp

        Filesize

        16KB

      • memory/1592-9-0x0000000002760000-0x0000000002764000-memory.dmp

        Filesize

        16KB