Analysis Overview
SHA256
1d07b32a7e2d4cc14cdd24795e40c66aa4253f8fdd810ba43ac33e2ae2107c0b
Threat Level: Known bad
The file Valak (6).cab was found to be: Known bad.
Malicious Activity Summary
Valak
Valak JavaScript Loader
JavaScript code in executable
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:42
Reported
2020-11-10 23:33
Platform
win7v20201028
Max time kernel
53s
Max time network
11s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/1392-0-0x0000000000000000-mapping.dmp
memory/1060-1-0x0000000000000000-mapping.dmp
C:\Users\Public\CCGYPWTwr.iySAE
| MD5 | 6df4cb0a89bdabcf858e7e407e3975f5 |
| SHA1 | f41a9efe9f3cdce394893d90f564bb26e3cdd494 |
| SHA256 | c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232 |
| SHA512 | a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41 |
memory/1060-3-0x00000000026D0000-0x00000000026D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:42
Reported
2020-11-10 23:33
Platform
win10v20201028
Max time kernel
61s
Max time network
122s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3408 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3408 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3648 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3648 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 3648 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (6).cab.dll",#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.12.18:443 | tcp |
Files
memory/3648-0-0x0000000000000000-mapping.dmp
memory/1100-1-0x0000000000000000-mapping.dmp
C:\Users\Public\CCGYPWTwr.iySAE
| MD5 | 6df4cb0a89bdabcf858e7e407e3975f5 |
| SHA1 | f41a9efe9f3cdce394893d90f564bb26e3cdd494 |
| SHA256 | c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232 |
| SHA512 | a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41 |