Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
Resource
win7v20201028
General
-
Target
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
-
Size
199KB
-
MD5
d105288de6fc3fddfcec21d43de2c4eb
-
SHA1
e22b404e1fec743f0795cdea8a95337660878860
-
SHA256
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1
-
SHA512
b161762f2b11d13d89c0081c2698136edf091fc56b865ed7fb89d5366a1d16ec870479c5e250abef23d0dfd2e9ba8f2426417d4fe7d04950ae30e9b03e5061d6
Malware Config
Signatures
-
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\s1no.0 valak -
Blacklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 8 2904 wscript.exe 19 2904 wscript.exe 21 2904 wscript.exe 25 2904 wscript.exe 26 2904 wscript.exe 27 2904 wscript.exe 28 2904 wscript.exe 29 2904 wscript.exe 30 2904 wscript.exe 31 2904 wscript.exe 32 2904 wscript.exe 33 2904 wscript.exe 34 2904 wscript.exe 35 2904 wscript.exe 36 2904 wscript.exe 37 2904 wscript.exe 38 2904 wscript.exe 39 2904 wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1180 wrote to memory of 2148 1180 regsvr32.exe regsvr32.exe PID 1180 wrote to memory of 2148 1180 regsvr32.exe regsvr32.exe PID 1180 wrote to memory of 2148 1180 regsvr32.exe regsvr32.exe PID 2148 wrote to memory of 2904 2148 regsvr32.exe wscript.exe PID 2148 wrote to memory of 2904 2148 regsvr32.exe wscript.exe PID 2148 wrote to memory of 2904 2148 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1no.0 "3⤵
- Blacklisted process makes network request
PID:2904
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
99b6dca5b8e85e916e684197b696383e
SHA1ed553c8952859ab355cb27df3f78b38b6758ed23
SHA25671880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d
SHA512debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f