Malware Analysis Report

2024-11-15 09:09

Sample ID 200609-59aaj585qn
Target bid 06.09.2020.doc
SHA256 ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997
Tags
Loader valak
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997

Threat Level: Known bad

The file bid 06.09.2020.doc was found to be: Known bad.

Malicious Activity Summary

Loader valak

Valak JavaScript Loader

Valak

Process spawned unexpected child process

Loads dropped DLL

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-06-09 22:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-06-09 22:21

Reported

2020-06-09 22:24

Platform

win7v200430

Max time kernel

150s

Max time network

25s

Command Line

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc"

Signatures

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Office loads VBA resources, possible macro or embedded object present

Valak

Loader valak

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 1116 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 868 wrote to memory of 1116 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 868 wrote to memory of 1116 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 868 wrote to memory of 1116 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 868 wrote to memory of 1116 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 1148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1148 wrote to memory of 1592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1148 wrote to memory of 1592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1148 wrote to memory of 1592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1148 wrote to memory of 1592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc"

C:\Windows\system32\regsvr32.exe

regsvr32 c:\programdata\76497199.dat

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\76497199.dat

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 10.7.0.255:137 udp
N/A 224.0.0.252:5355 udp
N/A 239.255.255.250:1900 udp
N/A 239.255.255.250:1900 udp
N/A 8.8.8.8:53 hzo0aut97bfu7zweb.com udp
N/A 95.181.178.15:80 hzo0aut97bfu7zweb.com tcp

Files

\??\c:\programdata\76497199.dat

\ProgramData\76497199.dat

memory/868-6-0x0000000005480000-0x0000000005484000-memory.dmp

memory/868-7-0x0000000005620000-0x0000000005624000-memory.dmp

C:\Users\Public\CCGYPWTwr.iySAE

memory/1592-9-0x0000000002760000-0x0000000002764000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-06-09 22:21

Reported

2020-06-09 22:24

Platform

win10v200430

Max time kernel

138s

Max time network

135s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Valak

Loader valak

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 c:\programdata\76497199.dat

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\76497199.dat

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 239.255.255.250:1900 udp
N/A 239.255.255.250:1900 udp
N/A 127.0.0.1:47001 tcp
N/A 8.8.8.8:53 hzo0aut97bfu7zweb.com udp
N/A 95.181.178.15:80 hzo0aut97bfu7zweb.com tcp
N/A 10.10.0.255:137 udp

Files

memory/3656-4-0x00000224267CC000-0x00000224267D0000-memory.dmp

\??\c:\programdata\76497199.dat

\ProgramData\76497199.dat

C:\Users\Public\CCGYPWTwr.iySAE