Malware Analysis Report

2024-11-13 16:55

Sample ID 201109-gcpnyaefw6
Target 1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1
SHA256 1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1

Threat Level: Known bad

The file 1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1 was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak JavaScript Loader

Valak family

Valak

Blacklisted process makes network request

JavaScript code in executable

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:42

Signatures

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Valak family

valak

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:42

Reported

2020-11-10 23:32

Platform

win7v20201028

Max time kernel

146s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1k8.0 "

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientservices.googleapis.com udp
N/A 216.58.211.99:80 clientservices.googleapis.com tcp
N/A 8.8.8.8:53 update.googleapis.com udp
N/A 216.58.211.99:80 update.googleapis.com tcp
N/A 8.8.8.8:53 weus2watcab02.blob.core.windows.net udp
N/A 20.150.87.132:80 weus2watcab02.blob.core.windows.net tcp
N/A 8.8.8.8:53 katedesktop64.com udp
N/A 8.8.8.8:53 leasurefilletmarrow.com udp
N/A 8.8.8.8:53 ireiureoi0dwoi.com udp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp

Files

memory/2024-0-0x0000000000000000-mapping.dmp

memory/2004-1-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s1k8.0

MD5 99b6dca5b8e85e916e684197b696383e
SHA1 ed553c8952859ab355cb27df3f78b38b6758ed23
SHA256 71880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d
SHA512 debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f

memory/1672-3-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:42

Reported

2020-11-10 23:32

Platform

win10v20201028

Max time kernel

148s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1180 wrote to memory of 2148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1180 wrote to memory of 2148 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 2148 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 2148 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1no.0 "

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientservices.googleapis.com udp
N/A 216.58.211.99:80 clientservices.googleapis.com tcp
N/A 8.8.8.8:53 update.googleapis.com udp
N/A 216.58.211.99:80 update.googleapis.com tcp
N/A 8.8.8.8:53 weus2watcab02.blob.core.windows.net udp
N/A 20.150.87.132:80 weus2watcab02.blob.core.windows.net tcp
N/A 8.8.8.8:53 katedesktop64.com udp
N/A 8.8.8.8:53 leasurefilletmarrow.com udp
N/A 8.8.8.8:53 ireiureoi0dwoi.com udp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp
N/A 35.205.61.67:80 ireiureoi0dwoi.com tcp

Files

memory/2148-0-0x0000000000000000-mapping.dmp

memory/2904-1-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s1no.0

MD5 99b6dca5b8e85e916e684197b696383e
SHA1 ed553c8952859ab355cb27df3f78b38b6758ed23
SHA256 71880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d
SHA512 debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f