Analysis

  • max time kernel
    39s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:13

General

  • Target

    lfahe1.cab.dll

  • Size

    523KB

  • MD5

    4f74df55ff11ae52b59a5ae086593347

  • SHA1

    b0f465a36e86e11ce00756e7e81b679bd9f98c29

  • SHA256

    de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3

  • SHA512

    4a0bd09d0428a0df5a675d74d2fe40e4c05c74a78bd34dcb1bb5dd23f1da70e0ee2ac0f4de04cb8c19478065835c90b8e9373579c054786c98ef3896d772a3e2

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • ServiceHost packer 4 IoCs

    Detects ServiceHost packer used for .NET malware

  • JavaScript code in executable 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
        3⤵
          PID:2320
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 680
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2456
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:640

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\xSsGKcUqL.vA_YV

        MD5

        9bb0250408c43581e7f9977da9c64e36

        SHA1

        10bb73ae8b19a28b833daffd8c89041ca9c58dca

        SHA256

        732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543

        SHA512

        53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

      • memory/1192-0-0x0000000000000000-mapping.dmp

      • memory/1192-4-0x0000000000000000-mapping.dmp

      • memory/1192-6-0x0000000000000000-mapping.dmp

      • memory/1192-7-0x0000000000000000-mapping.dmp

      • memory/1192-5-0x0000000000000000-mapping.dmp

      • memory/2320-1-0x0000000000000000-mapping.dmp

      • memory/2456-3-0x0000000004F70000-0x0000000004F71000-memory.dmp

        Filesize

        4KB

      • memory/2456-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

        Filesize

        4KB