Analysis
-
max time kernel
51s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Valak (5).cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Valak (5).cab.dll
-
Size
288KB
-
MD5
fa99b2d898eed7b28a21628cd927ca83
-
SHA1
6f2f1f2312228c87ee04f04fa7d172f2385ad878
-
SHA256
a0a2a5c5de14959481b9469a5dc41e5a24bf9d9e4670ff22e2b30d9c5235bf5e
-
SHA512
ec26fe63c35a9a5a42a5e81ca0ddb00b529abdd3eed6135f16bd4b7ad3d73594c5315139033d37b032f3dc0b3d359182e7353c7d45aeb012dd32271015ece42c
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 796 wrote to memory of 1872 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1872 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1872 796 rundll32.exe rundll32.exe PID 1872 wrote to memory of 1336 1872 rundll32.exe wscript.exe PID 1872 wrote to memory of 1336 1872 rundll32.exe wscript.exe PID 1872 wrote to memory of 1336 1872 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (5).cab.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (5).cab.dll",#12⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1336
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41