Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
Resource
win7v20201028
General
-
Target
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
-
Size
199KB
-
MD5
d105288de6fc3fddfcec21d43de2c4eb
-
SHA1
e22b404e1fec743f0795cdea8a95337660878860
-
SHA256
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1
-
SHA512
b161762f2b11d13d89c0081c2698136edf091fc56b865ed7fb89d5366a1d16ec870479c5e250abef23d0dfd2e9ba8f2426417d4fe7d04950ae30e9b03e5061d6
Malware Config
Signatures
-
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\s1k8.0 valak -
Blacklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 7 2004 wscript.exe 9 2004 wscript.exe 11 2004 wscript.exe 15 2004 wscript.exe 16 2004 wscript.exe 17 2004 wscript.exe 18 2004 wscript.exe 19 2004 wscript.exe 20 2004 wscript.exe 21 2004 wscript.exe 22 2004 wscript.exe 23 2004 wscript.exe 24 2004 wscript.exe 25 2004 wscript.exe 26 2004 wscript.exe 27 2004 wscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 1080 wrote to memory of 2024 1080 regsvr32.exe regsvr32.exe PID 2024 wrote to memory of 2004 2024 regsvr32.exe wscript.exe PID 2024 wrote to memory of 2004 2024 regsvr32.exe wscript.exe PID 2024 wrote to memory of 2004 2024 regsvr32.exe wscript.exe PID 2024 wrote to memory of 2004 2024 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1k8.0 "3⤵
- Blacklisted process makes network request
PID:2004
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
99b6dca5b8e85e916e684197b696383e
SHA1ed553c8952859ab355cb27df3f78b38b6758ed23
SHA25671880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d
SHA512debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f