Malware Analysis Report

2024-11-15 09:09

Sample ID 200626-2alxs74lze
Target 49988373.dat
SHA256 659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4

Threat Level: Known bad

The file 49988373.dat was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak

Valak JavaScript Loader

JavaScript code in executable

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-06-26 08:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-06-26 08:11

Reported

2020-06-26 08:13

Platform

win7v200430

Max time kernel

49s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\mUDSqcHQn.pAnNR

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/1500-0-0x0000000000000000-mapping.dmp

memory/1764-1-0x0000000000000000-mapping.dmp

C:\Users\Public\mUDSqcHQn.pAnNR

MD5 cbeff86974572b0a4e4f47a571b0298e
SHA1 e16d9a2bb4040fcb815980f9b2cd36b65c9f346e
SHA256 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2
SHA512 1c5408467d437fb4e2040b4aa504d3d9fcc16bdafb020063b9004847ccb05cd122439d2974a0be0cd59fb3c458117c79ec69513d9b3a56803192671688501af0

memory/1764-3-0x0000000002660000-0x0000000002664000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-06-26 08:11

Reported

2020-06-26 08:13

Platform

win10

Max time kernel

142s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 3636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 3636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 3636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3636 wrote to memory of 3824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 3636 wrote to memory of 3824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 3636 wrote to memory of 3824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\49988373.dat.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\mUDSqcHQn.pAnNR

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/3636-0-0x0000000000000000-mapping.dmp

memory/3824-1-0x0000000000000000-mapping.dmp

C:\Users\Public\mUDSqcHQn.pAnNR

MD5 cbeff86974572b0a4e4f47a571b0298e
SHA1 e16d9a2bb4040fcb815980f9b2cd36b65c9f346e
SHA256 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2
SHA512 1c5408467d437fb4e2040b4aa504d3d9fcc16bdafb020063b9004847ccb05cd122439d2974a0be0cd59fb3c458117c79ec69513d9b3a56803192671688501af0