Analysis Overview
SHA256
ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997
Threat Level: Known bad
The file bid 06.09.2020.doc was found to be: Known bad.
Malicious Activity Summary
Valak JavaScript Loader
Valak
Process spawned unexpected child process
Loads dropped DLL
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Checks processor information in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-06-09 22:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-06-09 22:21
Reported
2020-06-09 22:24
Platform
win7v200430
Max time kernel
150s
Max time network
25s
Command Line
Signatures
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Office loads VBA resources, possible macro or embedded object present
Valak
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\system32\regsvr32.exe | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Suspicious use of WriteProcessMemory
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Processes
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc"
C:\Windows\system32\regsvr32.exe
regsvr32 c:\programdata\76497199.dat
C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\76497199.dat
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 10.7.0.255:137 | udp | |
| N/A | 224.0.0.252:5355 | udp | |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 8.8.8.8:53 | hzo0aut97bfu7zweb.com | udp |
| N/A | 95.181.178.15:80 | hzo0aut97bfu7zweb.com | tcp |
Files
\??\c:\programdata\76497199.dat
\ProgramData\76497199.dat
memory/868-6-0x0000000005480000-0x0000000005484000-memory.dmp
memory/868-7-0x0000000005620000-0x0000000005624000-memory.dmp
C:\Users\Public\CCGYPWTwr.iySAE
memory/1592-9-0x0000000002760000-0x0000000002764000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-06-09 22:21
Reported
2020-06-09 22:24
Platform
win10v200430
Max time kernel
138s
Max time network
135s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3656 wrote to memory of 3944 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 3656 wrote to memory of 3944 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 3944 wrote to memory of 3896 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3944 wrote to memory of 3896 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3944 wrote to memory of 3896 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3896 wrote to memory of 1896 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3896 wrote to memory of 1896 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3896 wrote to memory of 1896 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Valak
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\76497199.dat
C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\76497199.dat
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 127.0.0.1:47001 | tcp | |
| N/A | 8.8.8.8:53 | hzo0aut97bfu7zweb.com | udp |
| N/A | 95.181.178.15:80 | hzo0aut97bfu7zweb.com | tcp |
| N/A | 10.10.0.255:137 | udp |
Files
memory/3656-4-0x00000224267CC000-0x00000224267D0000-memory.dmp
\??\c:\programdata\76497199.dat
\ProgramData\76497199.dat
C:\Users\Public\CCGYPWTwr.iySAE