Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows7_x64 -
resource
win7 -
submitted
04-07-2020 08:42
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Johnnie.260029.31647.5696.dll
Resource
win7
General
-
Target
SecuriteInfo.com.Variant.Johnnie.260029.31647.5696.dll
-
Size
317KB
-
MD5
938b8214395f3dde41c1646af5558dcf
-
SHA1
05fa40fd0f443d5f591cdc024a344f0eb10c5d46
-
SHA256
fd44086fe5fd433c14f4fc1e03f318353add50ac77dee6da3f64c4d2c5414c1c
-
SHA512
5d3c5e5107f96edbb7806d276594fe3619a13f4f6b0e8d03978ee63a436c709a0ea944abbb39f7f6b915fab11ed9437bb835278431acf68050ecc5fc6206c084
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\zNrFlsljF.h_uKX valak C:\Users\Public\zNrFlsljF.h_uKX valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\zNrFlsljF.h_uKX js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe rundll32.exe PID 1184 wrote to memory of 1416 1184 rundll32.exe wscript.exe PID 1184 wrote to memory of 1416 1184 rundll32.exe wscript.exe PID 1184 wrote to memory of 1416 1184 rundll32.exe wscript.exe PID 1184 wrote to memory of 1416 1184 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.260029.31647.5696.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.260029.31647.5696.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\zNrFlsljF.h_uKX3⤵PID:1416
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1656
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
165f495f44662a65cb38e9e8edf2586c
SHA16fcced879570b3ea31f57298a6fc149c3080c9d7
SHA256ea159717f2033df8a9a16db45bad250346296ed188ffc735abd3ff463b710589
SHA512039dc55aab10a883d22c5363b85ef76f4b657a6bad10ee28484644a619e31a5bc01e91e29362ebba1b121e0aba3d3a953897b7caa72b1539eacd217de8d629ae