Malware Analysis Report

2024-11-15 09:09

Sample ID 200628-ap6kppw41j
Target adjure_06.26.2020.doc
SHA256 c2222ea9ba5e0bceba9721084fb70b803f6a4cbf962e98b9a8ea3125f76a685f
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2222ea9ba5e0bceba9721084fb70b803f6a4cbf962e98b9a8ea3125f76a685f

Threat Level: Known bad

The file adjure_06.26.2020.doc was found to be: Known bad.

Malicious Activity Summary

valak Loader

Process spawned unexpected child process

Valak

Valak JavaScript Loader

Loads dropped DLL

JavaScript code in executable

Office loads VBA resources, possible macro or embedded object present

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-06-28 07:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-06-28 07:04

Reported

2020-06-28 07:06

Platform

win7v200430

Max time kernel

146s

Max time network

26s

Command Line

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Office loads VBA resources, possible macro or embedded object present

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 288 wrote to memory of 740 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 288 wrote to memory of 740 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 288 wrote to memory of 740 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 288 wrote to memory of 740 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 288 wrote to memory of 740 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 740 wrote to memory of 1076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1076 wrote to memory of 556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc"

C:\Windows\system32\regsvr32.exe

regsvr32 c:\programdata\64961.jpg

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\64961.jpg

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\whjkAbMaz.MVTXe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ttcfv.com udp
N/A 82.146.56.146:80 ttcfv.com tcp

Files

memory/740-3-0x0000000000000000-mapping.dmp

\??\c:\programdata\64961.jpg

MD5 8b7786e11dc53af09f1a3b47a44b2a0b
SHA1 b4a138956beae46fdf319d7848da05f5a35503cb
SHA256 a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA512 6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

memory/1076-5-0x0000000000000000-mapping.dmp

\ProgramData\64961.jpg

MD5 8b7786e11dc53af09f1a3b47a44b2a0b
SHA1 b4a138956beae46fdf319d7848da05f5a35503cb
SHA256 a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA512 6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

memory/556-7-0x0000000000000000-mapping.dmp

C:\Users\Public\whjkAbMaz.MVTXe

MD5 fb602d3da0fa8a77faf30957de03618b
SHA1 0ffa7c8827709d3fa5cf9c029a149f20d9cf9eb3
SHA256 3967320c32862614b2a44026c808567bbb6c290f86d753adde10e9723959769e
SHA512 fcc36faa35ddc208407870a5b55d76883c7e6208fa28378456f9e914c65a9a861d58b5deaa7c8c0c1bfba9d6d296677171679b3f64c4a76c7de8e17b29ff30e7

memory/556-9-0x00000000029B0000-0x00000000029B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-06-28 07:04

Reported

2020-06-28 07:06

Platform

win10

Max time kernel

135s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc" /o ""

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 c:\programdata\64961.jpg

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\64961.jpg

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\whjkAbMaz.MVTXe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ttcfv.com udp
N/A 82.146.56.146:80 ttcfv.com tcp

Files

memory/3680-0-0x0000024991C17000-0x0000024991C1C000-memory.dmp

memory/3680-1-0x0000024991C17000-0x0000024991C1C000-memory.dmp

memory/3680-2-0x0000024991C0F000-0x0000024991C17000-memory.dmp

memory/3680-3-0x0000024991C0F000-0x0000024991C17000-memory.dmp

memory/3680-4-0x0000024991C0F000-0x0000024991C17000-memory.dmp

memory/1044-5-0x0000000000000000-mapping.dmp

\??\c:\programdata\64961.jpg

MD5 8b7786e11dc53af09f1a3b47a44b2a0b
SHA1 b4a138956beae46fdf319d7848da05f5a35503cb
SHA256 a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA512 6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

memory/1176-7-0x0000000000000000-mapping.dmp

\ProgramData\64961.jpg

MD5 8b7786e11dc53af09f1a3b47a44b2a0b
SHA1 b4a138956beae46fdf319d7848da05f5a35503cb
SHA256 a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA512 6d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb

memory/2192-9-0x0000000000000000-mapping.dmp

C:\Users\Public\whjkAbMaz.MVTXe

MD5 fb602d3da0fa8a77faf30957de03618b
SHA1 0ffa7c8827709d3fa5cf9c029a149f20d9cf9eb3
SHA256 3967320c32862614b2a44026c808567bbb6c290f86d753adde10e9723959769e
SHA512 fcc36faa35ddc208407870a5b55d76883c7e6208fa28378456f9e914c65a9a861d58b5deaa7c8c0c1bfba9d6d296677171679b3f64c4a76c7de8e17b29ff30e7