Analysis Overview
SHA256
659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4
Threat Level: Known bad
The file 49988373.dat was found to be: Known bad.
Malicious Activity Summary
Valak
Valak JavaScript Loader
JavaScript code in executable
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-06-26 08:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-06-26 08:11
Reported
2020-06-26 08:13
Platform
win7v200430
Max time kernel
49s
Max time network
20s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\mUDSqcHQn.pAnNR
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/1500-0-0x0000000000000000-mapping.dmp
memory/1764-1-0x0000000000000000-mapping.dmp
C:\Users\Public\mUDSqcHQn.pAnNR
| MD5 | cbeff86974572b0a4e4f47a571b0298e |
| SHA1 | e16d9a2bb4040fcb815980f9b2cd36b65c9f346e |
| SHA256 | 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 |
| SHA512 | 1c5408467d437fb4e2040b4aa504d3d9fcc16bdafb020063b9004847ccb05cd122439d2974a0be0cd59fb3c458117c79ec69513d9b3a56803192671688501af0 |
memory/1764-3-0x0000000002660000-0x0000000002664000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-06-26 08:11
Reported
2020-06-26 08:13
Platform
win10
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 3636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3104 wrote to memory of 3636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3104 wrote to memory of 3636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3636 wrote to memory of 3824 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3636 wrote to memory of 3824 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3636 wrote to memory of 3824 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\mUDSqcHQn.pAnNR
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/3636-0-0x0000000000000000-mapping.dmp
memory/3824-1-0x0000000000000000-mapping.dmp
C:\Users\Public\mUDSqcHQn.pAnNR
| MD5 | cbeff86974572b0a4e4f47a571b0298e |
| SHA1 | e16d9a2bb4040fcb815980f9b2cd36b65c9f346e |
| SHA256 | 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 |
| SHA512 | 1c5408467d437fb4e2040b4aa504d3d9fcc16bdafb020063b9004847ccb05cd122439d2974a0be0cd59fb3c458117c79ec69513d9b3a56803192671688501af0 |