Malware Analysis Report

2024-11-15 09:08

Sample ID 201109-4ry1jth3zn
Target lfahe1.cab
SHA256 de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de342d1a4e8dd15037b9b5e859bb57e2e8db8987957cc232ce545db5610ce0e3

Threat Level: Known bad

The file lfahe1.cab was found to be: Known bad.

Malicious Activity Summary

valak Loader

Suspicious use of NtCreateProcessExOtherParentProcess

Valak JavaScript Loader

Valak

ServiceHost packer

JavaScript code in executable

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:13

Reported

2020-11-10 14:18

Platform

win10v20201028

Max time kernel

39s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 2456 created 1192 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ServiceHost packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 1192 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 1192 wrote to memory of 2320 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 680

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/1192-0-0x0000000000000000-mapping.dmp

memory/2320-1-0x0000000000000000-mapping.dmp

C:\Users\Public\xSsGKcUqL.vA_YV

MD5 9bb0250408c43581e7f9977da9c64e36
SHA1 10bb73ae8b19a28b833daffd8c89041ca9c58dca
SHA256 732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543
SHA512 53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

memory/2456-3-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/1192-4-0x0000000000000000-mapping.dmp

memory/1192-6-0x0000000000000000-mapping.dmp

memory/1192-7-0x0000000000000000-mapping.dmp

memory/1192-5-0x0000000000000000-mapping.dmp

memory/2456-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:13

Reported

2020-11-10 14:18

Platform

win7v20201028

Max time kernel

42s

Max time network

11s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lfahe1.cab.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/1832-0-0x0000000000000000-mapping.dmp

memory/1788-1-0x0000000000000000-mapping.dmp

C:\Users\Public\xSsGKcUqL.vA_YV

MD5 9bb0250408c43581e7f9977da9c64e36
SHA1 10bb73ae8b19a28b833daffd8c89041ca9c58dca
SHA256 732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543
SHA512 53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

memory/1788-3-0x0000000002840000-0x0000000002844000-memory.dmp