Analysis Overview
SHA256
ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997
Threat Level: Known bad
The file bid 06.09.2020.doc was found to be: Known bad.
Malicious Activity Summary
Valak JavaScript Loader
Process spawned unexpected child process
Valak
Loads dropped DLL
Drops file in System32 directory
Modifies service
Drops file in Windows directory
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-06-09 22:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-06-09 22:33
Reported
2020-06-09 22:43
Platform
win10v200430
Max time kernel
539s
Max time network
359s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
Modifies service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help = "8679" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List = "8678 8684 8694 8704 8724 8768 8778 8816 8822 8838" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\PerfIniFile = "WmiApRpl.ini" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter = "8844" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help = "8845" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter = "8678" | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Valak
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 2996 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1516 wrote to memory of 2996 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 2996 wrote to memory of 3872 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2996 wrote to memory of 3872 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2996 wrote to memory of 3872 | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3872 wrote to memory of 3588 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3872 wrote to memory of 3588 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3872 wrote to memory of 3588 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\76497199.dat
C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\76497199.dat
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 239.255.255.250:1900 | udp | |
| N/A | 127.0.0.1:47001 | tcp | |
| N/A | 8.8.8.8:53 | hzo0aut97bfu7zweb.com | udp |
| N/A | 95.181.178.15:80 | hzo0aut97bfu7zweb.com | tcp |
| N/A | 10.10.0.255:137 | udp |
Files
\??\c:\programdata\76497199.dat
\ProgramData\76497199.dat
C:\Users\Public\CCGYPWTwr.iySAE