Analysis Overview
SHA256
de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
Threat Level: Known bad
The file lfahe1.cab was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Valak JavaScript Loader
Valak
ServiceHost packer
JavaScript code in executable
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:13
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:13
Reported
2020-11-10 14:18
Platform
win10v20201028
Max time kernel
39s
Max time network
110s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2456 created 1192 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ServiceHost packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 428 wrote to memory of 1192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 428 wrote to memory of 1192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 428 wrote to memory of 1192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1192 wrote to memory of 2320 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 1192 wrote to memory of 2320 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 1192 wrote to memory of 2320 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 680
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/1192-0-0x0000000000000000-mapping.dmp
memory/2320-1-0x0000000000000000-mapping.dmp
C:\Users\Public\xSsGKcUqL.vA_YV
| MD5 | 9bb0250408c43581e7f9977da9c64e36 |
| SHA1 | 10bb73ae8b19a28b833daffd8c89041ca9c58dca |
| SHA256 | 732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543 |
| SHA512 | 53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a |
memory/2456-3-0x0000000004F70000-0x0000000004F71000-memory.dmp
memory/1192-4-0x0000000000000000-mapping.dmp
memory/1192-6-0x0000000000000000-mapping.dmp
memory/1192-7-0x0000000000000000-mapping.dmp
memory/1192-5-0x0000000000000000-mapping.dmp
memory/2456-9-0x00000000053B0000-0x00000000053B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:13
Reported
2020-11-10 14:18
Platform
win7v20201028
Max time kernel
42s
Max time network
11s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/1832-0-0x0000000000000000-mapping.dmp
memory/1788-1-0x0000000000000000-mapping.dmp
C:\Users\Public\xSsGKcUqL.vA_YV
| MD5 | 9bb0250408c43581e7f9977da9c64e36 |
| SHA1 | 10bb73ae8b19a28b833daffd8c89041ca9c58dca |
| SHA256 | 732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543 |
| SHA512 | 53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a |
memory/1788-3-0x0000000002840000-0x0000000002844000-memory.dmp