Analysis
-
max time kernel
144s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:14
Static task
static1
Behavioral task
behavioral1
Sample
haao1.cab.exe_.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
haao1.cab.exe_.dll
-
Size
180KB
-
MD5
8147c86a51001c09e34e8c3517e2bac4
-
SHA1
d6f4260a55bbdd62627a562ff599a9e842c1c62f
-
SHA256
a6c6ab892399b0496ffcd15d3af8dc8840818439367b990f60f51c95c8e56305
-
SHA512
a786cf9c8419179557acf1c1fa4016b6989514a5db44b39681ea89a0f17d2f1a5592d602ba52fa137d135ae40ff05e05e278a2db4c116e06b1f47d80f9b476ea
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\anFJjtYxH.eB_c_ valak C:\Users\Public\anFJjtYxH.eB_c_ valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\anFJjtYxH.eB_c_ js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1848 wrote to memory of 1352 1848 regsvr32.exe regsvr32.exe PID 1352 wrote to memory of 804 1352 regsvr32.exe wscript.exe PID 1352 wrote to memory of 804 1352 regsvr32.exe wscript.exe PID 1352 wrote to memory of 804 1352 regsvr32.exe wscript.exe PID 1352 wrote to memory of 804 1352 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\haao1.cab.exe_.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\haao1.cab.exe_.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\anFJjtYxH.eB_c_3⤵PID:804
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:652
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1712
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf9cfe46e69997b0d8ac4ffb528ab0df
SHA1399337ad73221675067a85f3251e31042886d536
SHA256395df3a563bc865221738b938998e6a45094f5c396302e4f151631e78aeb9d2d
SHA512f432a42d355d5ac058dd68660b9d0a7bd901eaf3b55fd184b3fb2c7b075523eca7e1262bc757fc2600934112fde781823d721a32754f87f6501f487b36b10fa9