Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Agent.ESBE.14544.3098.dll
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Agent.ESBE.14544.3098.dll
-
Size
289KB
-
MD5
4b5af247ec7175a679339aa88d99553c
-
SHA1
85b3e6d9997797f3556c9d7442054c6eac241b90
-
SHA256
4c9358b1b8b94ee6cc0142aef62a24507e44985d61c85b041f3e337021ac4488
-
SHA512
710cf34116bb454d4cbdab0ee12a7f443c3c09c049545619689fa90cd21dc3c39b882dc0da2d1dc491aaba81307c8e00e29a987d1f65b7a59beddba545e6358b
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 2004 1960 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1596 2004 rundll32.exe wscript.exe PID 2004 wrote to memory of 1596 2004 rundll32.exe wscript.exe PID 2004 wrote to memory of 1596 2004 rundll32.exe wscript.exe PID 2004 wrote to memory of 1596 2004 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.14544.3098.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.14544.3098.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1596
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1672
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41