Analysis

  • max time kernel
    147s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    26-06-2020 17:27

General

  • Target

    adjure_06.26.2020.doc

  • Size

    117KB

  • MD5

    7ecef428b39c93f449292c1344c2d26f

  • SHA1

    32170dadf5481cdf794bb13e8c794df277c1f828

  • SHA256

    c2222ea9ba5e0bceba9721084fb70b803f6a4cbf962e98b9a8ea3125f76a685f

  • SHA512

    86bcadffcb89775307ba4f401f97dbec89e2eebc6f66b08b1b8cf9caa722951c7623a5007658c9bc08861a7191808ce649826111b9575d8c610240111c556967

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 c:\programdata\64961.jpg
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\programdata\64961.jpg
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe //E:jscript "C:\Users\Public\whjkAbMaz.MVTXe
          4⤵
            PID:3920
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2108

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\whjkAbMaz.MVTXe

        MD5

        fb602d3da0fa8a77faf30957de03618b

        SHA1

        0ffa7c8827709d3fa5cf9c029a149f20d9cf9eb3

        SHA256

        3967320c32862614b2a44026c808567bbb6c290f86d753adde10e9723959769e

        SHA512

        fcc36faa35ddc208407870a5b55d76883c7e6208fa28378456f9e914c65a9a861d58b5deaa7c8c0c1bfba9d6d296677171679b3f64c4a76c7de8e17b29ff30e7

      • \??\c:\programdata\64961.jpg

        MD5

        8b7786e11dc53af09f1a3b47a44b2a0b

        SHA1

        b4a138956beae46fdf319d7848da05f5a35503cb

        SHA256

        a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321

        SHA512

        6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

      • \ProgramData\64961.jpg

        MD5

        8b7786e11dc53af09f1a3b47a44b2a0b

        SHA1

        b4a138956beae46fdf319d7848da05f5a35503cb

        SHA256

        a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321

        SHA512

        6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

      • memory/2192-5-0x0000000000000000-mapping.dmp

      • memory/2216-7-0x0000000000000000-mapping.dmp

      • memory/3768-0-0x000002BD445D3000-0x000002BD4463C000-memory.dmp

        Filesize

        420KB

      • memory/3920-9-0x0000000000000000-mapping.dmp