Malware Analysis Report

2024-11-15 09:09

Sample ID 200702-jp8bg2gsdj
Target facts,06.20.doc
SHA256 1a76ae32471c077f6ba8525fdc8812cf8aa242cfc7bfac57d04c91d86e5bd378
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a76ae32471c077f6ba8525fdc8812cf8aa242cfc7bfac57d04c91d86e5bd378

Threat Level: Known bad

The file facts,06.20.doc was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak

Valak JavaScript Loader

Process spawned unexpected child process

Loads dropped DLL

JavaScript code in executable

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-02 13:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-02 13:26

Reported

2020-07-02 13:29

Platform

win7v200430

Max time kernel

140s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 892 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Windows\system32\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1832 wrote to memory of 1836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1836 wrote to memory of 1896 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1836 wrote to memory of 1896 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1836 wrote to memory of 1896 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 1836 wrote to memory of 1896 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc"

C:\Windows\system32\regsvr32.exe

regsvr32 c:\programdata\1.dat

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\1.dat

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\MVexBafTc.Sszxu

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.nasproje.com udp
N/A 109.232.217.188:443 www.nasproje.com tcp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 192.35.177.64:80 apps.identrust.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 72.21.81.240:80 www.download.windowsupdate.com tcp
N/A 8.8.8.8:53 crl.identrust.com udp
N/A 192.35.177.64:80 crl.identrust.com tcp

Files

memory/892-0-0x0000000006000000-0x0000000006100000-memory.dmp

memory/892-1-0x0000000006000000-0x0000000006100000-memory.dmp

memory/892-2-0x0000000006F90000-0x0000000007190000-memory.dmp

memory/1832-3-0x0000000000000000-mapping.dmp

\??\c:\programdata\1.dat

MD5 0790e65e6925fc63a75856c0b4c0cd65
SHA1 afd468cf7c2302fa07ac8691e03997b953836287
SHA256 bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512 d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

memory/1836-5-0x0000000000000000-mapping.dmp

\ProgramData\1.dat

MD5 0790e65e6925fc63a75856c0b4c0cd65
SHA1 afd468cf7c2302fa07ac8691e03997b953836287
SHA256 bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512 d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

memory/1896-7-0x0000000000000000-mapping.dmp

C:\Users\Public\MVexBafTc.Sszxu

MD5 fa1ad61db6981a6021ee910b16134c3b
SHA1 6be70926a8e12eb456ccdecd54ce3a9d8550361e
SHA256 32061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320
SHA512 60476da5dadb3dd96fe8d5b016e26347cce9b661902d41a5fcb9f24d66f8401bf34b53b18132888ece9735d26ed140230fbfc40e605c2e9ebf2397fb35d5ea23

memory/1896-9-0x00000000025E0000-0x00000000025E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-07-02 13:26

Reported

2020-07-02 13:29

Platform

win10

Max time kernel

135s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc" /o ""

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 c:\programdata\1.dat

C:\Windows\SysWOW64\regsvr32.exe

c:\programdata\1.dat

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\MVexBafTc.Sszxu

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.nasproje.com udp
N/A 109.232.217.188:443 www.nasproje.com tcp
N/A 8.8.8.8:53 crl.identrust.com udp
N/A 192.35.177.64:80 crl.identrust.com tcp

Files

memory/3868-0-0x000001358D63F000-0x000001358D644000-memory.dmp

memory/3868-1-0x000001358D63A000-0x000001358D63F000-memory.dmp

memory/3868-2-0x000001358D63A000-0x000001358D63F000-memory.dmp

memory/3084-3-0x0000000000000000-mapping.dmp

\??\c:\programdata\1.dat

MD5 0790e65e6925fc63a75856c0b4c0cd65
SHA1 afd468cf7c2302fa07ac8691e03997b953836287
SHA256 bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512 d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

memory/3756-5-0x0000000000000000-mapping.dmp

\ProgramData\1.dat

MD5 0790e65e6925fc63a75856c0b4c0cd65
SHA1 afd468cf7c2302fa07ac8691e03997b953836287
SHA256 bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512 d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1

memory/2640-7-0x0000000000000000-mapping.dmp

C:\Users\Public\MVexBafTc.Sszxu

MD5 fa1ad61db6981a6021ee910b16134c3b
SHA1 6be70926a8e12eb456ccdecd54ce3a9d8550361e
SHA256 32061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320
SHA512 60476da5dadb3dd96fe8d5b016e26347cce9b661902d41a5fcb9f24d66f8401bf34b53b18132888ece9735d26ed140230fbfc40e605c2e9ebf2397fb35d5ea23