Analysis

  • max time kernel
    135s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    02-07-2020 13:26

General

  • Target

    facts,06.20.doc

  • Size

    114KB

  • MD5

    044be39caae5604b0de18f194a8de4dc

  • SHA1

    557f786e4be64a1c8130ee14cd86e937040477f3

  • SHA256

    1a76ae32471c077f6ba8525fdc8812cf8aa242cfc7bfac57d04c91d86e5bd378

  • SHA512

    92f006efef8444454e4367e84681f43c15df30b4ab55aea7c98f761c0351b4090395dd1bcc7ed342674fe33d73bd6a12e0d7531a1cbdc790de075b5b67d5ccdf

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 c:\programdata\1.dat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\programdata\1.dat
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe //E:jscript "C:\Users\Public\MVexBafTc.Sszxu
          4⤵
            PID:2640
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3664

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\MVexBafTc.Sszxu

        MD5

        fa1ad61db6981a6021ee910b16134c3b

        SHA1

        6be70926a8e12eb456ccdecd54ce3a9d8550361e

        SHA256

        32061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320

        SHA512

        60476da5dadb3dd96fe8d5b016e26347cce9b661902d41a5fcb9f24d66f8401bf34b53b18132888ece9735d26ed140230fbfc40e605c2e9ebf2397fb35d5ea23

      • \??\c:\programdata\1.dat

        MD5

        0790e65e6925fc63a75856c0b4c0cd65

        SHA1

        afd468cf7c2302fa07ac8691e03997b953836287

        SHA256

        bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a

        SHA512

        d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

      • \ProgramData\1.dat

        MD5

        0790e65e6925fc63a75856c0b4c0cd65

        SHA1

        afd468cf7c2302fa07ac8691e03997b953836287

        SHA256

        bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a

        SHA512

        d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

      • memory/2640-7-0x0000000000000000-mapping.dmp

      • memory/3084-3-0x0000000000000000-mapping.dmp

      • memory/3756-5-0x0000000000000000-mapping.dmp

      • memory/3868-0-0x000001358D63F000-0x000001358D644000-memory.dmp

        Filesize

        20KB

      • memory/3868-1-0x000001358D63A000-0x000001358D63F000-memory.dmp

        Filesize

        20KB

      • memory/3868-2-0x000001358D63A000-0x000001358D63F000-memory.dmp

        Filesize

        20KB