Analysis

  • max time kernel
    61s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:42

General

  • Target

    Valak (6).cab.dll

  • Size

    288KB

  • MD5

    c94194485cd6ee22cd5b71f1418a8c78

  • SHA1

    2f37f11e26b60b4b7b7ac3fb54093c15af639840

  • SHA256

    1d07b32a7e2d4cc14cdd24795e40c66aa4253f8fdd810ba43ac33e2ae2107c0b

  • SHA512

    ebba08662b9bcf70169fdf3dc772f1af8b16ec20f8d15e16f5a9fa97bfd7804759363cff13c145cea0f85dc595b9571905f4f5f495960194c9e1ab13f717c744

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
        3⤵
          PID:1100
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2652

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\CCGYPWTwr.iySAE

        MD5

        6df4cb0a89bdabcf858e7e407e3975f5

        SHA1

        f41a9efe9f3cdce394893d90f564bb26e3cdd494

        SHA256

        c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232

        SHA512

        a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41

      • memory/1100-1-0x0000000000000000-mapping.dmp

      • memory/3648-0-0x0000000000000000-mapping.dmp