Analysis

  • max time kernel
    42s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:13

General

  • Target

    lfahe1.cab.dll

  • Size

    523KB

  • MD5

    4f74df55ff11ae52b59a5ae086593347

  • SHA1

    b0f465a36e86e11ce00756e7e81b679bd9f98c29

  • SHA256

    de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3

  • SHA512

    4a0bd09d0428a0df5a675d74d2fe40e4c05c74a78bd34dcb1bb5dd23f1da70e0ee2ac0f4de04cb8c19478065835c90b8e9373579c054786c98ef3896d772a3e2

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
        3⤵
          PID:1788
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:604

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\xSsGKcUqL.vA_YV

        MD5

        9bb0250408c43581e7f9977da9c64e36

        SHA1

        10bb73ae8b19a28b833daffd8c89041ca9c58dca

        SHA256

        732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543

        SHA512

        53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

      • memory/1788-1-0x0000000000000000-mapping.dmp

      • memory/1788-3-0x0000000002840000-0x0000000002844000-memory.dmp

        Filesize

        16KB

      • memory/1832-0-0x0000000000000000-mapping.dmp