Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Agent.ESBE.17724.8787.dll
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Agent.ESBE.17724.8787.dll
-
Size
289KB
-
MD5
32a9e7d1b9d2a12c1341cb2f0a42a51a
-
SHA1
a587aeee7867fc8ec8a3074fa40eed3a2f8481d9
-
SHA256
7d5cb9f2e87752220d05423cb58e57db515b6ce204ca2d9c5d7577f06538dfa4
-
SHA512
2730fb6028c9c294f1033f35e833907e99ebd855b525a9fb99465de15ecee915674d89127faa4af5a242fbf87a61042f907e0afd4be7ae7b179b4b24459f2831
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1300 1980 rundll32.exe rundll32.exe PID 1300 wrote to memory of 588 1300 rundll32.exe wscript.exe PID 1300 wrote to memory of 588 1300 rundll32.exe wscript.exe PID 1300 wrote to memory of 588 1300 rundll32.exe wscript.exe PID 1300 wrote to memory of 588 1300 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.17724.8787.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.17724.8787.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:588
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:944
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41