Analysis
-
max time kernel
42s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:13
Static task
static1
Behavioral task
behavioral1
Sample
lfahe1.cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
lfahe1.cab.dll
-
Size
523KB
-
MD5
4f74df55ff11ae52b59a5ae086593347
-
SHA1
b0f465a36e86e11ce00756e7e81b679bd9f98c29
-
SHA256
de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
-
SHA512
4a0bd09d0428a0df5a675d74d2fe40e4c05c74a78bd34dcb1bb5dd23f1da70e0ee2ac0f4de04cb8c19478065835c90b8e9373579c054786c98ef3896d772a3e2
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\xSsGKcUqL.vA_YV valak C:\Users\Public\xSsGKcUqL.vA_YV valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\xSsGKcUqL.vA_YV js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1832 1304 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1788 1832 rundll32.exe wscript.exe PID 1832 wrote to memory of 1788 1832 rundll32.exe wscript.exe PID 1832 wrote to memory of 1788 1832 rundll32.exe wscript.exe PID 1832 wrote to memory of 1788 1832 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV3⤵PID:1788
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:604
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bb0250408c43581e7f9977da9c64e36
SHA110bb73ae8b19a28b833daffd8c89041ca9c58dca
SHA256732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543
SHA51253829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a