Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:42

General

  • Target

    1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

  • Size

    199KB

  • MD5

    d105288de6fc3fddfcec21d43de2c4eb

  • SHA1

    e22b404e1fec743f0795cdea8a95337660878860

  • SHA256

    1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1

  • SHA512

    b161762f2b11d13d89c0081c2698136edf091fc56b865ed7fb89d5366a1d16ec870479c5e250abef23d0dfd2e9ba8f2426417d4fe7d04950ae30e9b03e5061d6

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 1 IoCs
  • Blacklisted process makes network request 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1no.0 "
        3⤵
        • Blacklisted process makes network request
        PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\s1no.0

    MD5

    99b6dca5b8e85e916e684197b696383e

    SHA1

    ed553c8952859ab355cb27df3f78b38b6758ed23

    SHA256

    71880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d

    SHA512

    debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f

  • memory/2148-0-0x0000000000000000-mapping.dmp

  • memory/2904-1-0x0000000000000000-mapping.dmp