Analysis Overview
SHA256
1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1
Threat Level: Known bad
The file 1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1 was found to be: Known bad.
Malicious Activity Summary
Valak JavaScript Loader
Valak family
Valak
Blacklisted process makes network request
JavaScript code in executable
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:42
Signatures
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Valak family
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:42
Reported
2020-11-10 23:32
Platform
win7v20201028
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1k8.0 "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientservices.googleapis.com | udp |
| N/A | 216.58.211.99:80 | clientservices.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | update.googleapis.com | udp |
| N/A | 216.58.211.99:80 | update.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | weus2watcab02.blob.core.windows.net | udp |
| N/A | 20.150.87.132:80 | weus2watcab02.blob.core.windows.net | tcp |
| N/A | 8.8.8.8:53 | katedesktop64.com | udp |
| N/A | 8.8.8.8:53 | leasurefilletmarrow.com | udp |
| N/A | 8.8.8.8:53 | ireiureoi0dwoi.com | udp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
Files
memory/2024-0-0x0000000000000000-mapping.dmp
memory/2004-1-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\s1k8.0
| MD5 | 99b6dca5b8e85e916e684197b696383e |
| SHA1 | ed553c8952859ab355cb27df3f78b38b6758ed23 |
| SHA256 | 71880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d |
| SHA512 | debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f |
memory/1672-3-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:42
Reported
2020-11-10 23:32
Platform
win10v20201028
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 2148 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1180 wrote to memory of 2148 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1180 wrote to memory of 2148 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2148 wrote to memory of 2904 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 2148 wrote to memory of 2904 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 2148 wrote to memory of 2904 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wscript.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1f4e5c2cb23475c91e215dbfb0b23daf1bb97ab8ef74360c9dc92ac74d2435a1.dll
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s1no.0 "
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientservices.googleapis.com | udp |
| N/A | 216.58.211.99:80 | clientservices.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | update.googleapis.com | udp |
| N/A | 216.58.211.99:80 | update.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | weus2watcab02.blob.core.windows.net | udp |
| N/A | 20.150.87.132:80 | weus2watcab02.blob.core.windows.net | tcp |
| N/A | 8.8.8.8:53 | katedesktop64.com | udp |
| N/A | 8.8.8.8:53 | leasurefilletmarrow.com | udp |
| N/A | 8.8.8.8:53 | ireiureoi0dwoi.com | udp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
| N/A | 35.205.61.67:80 | ireiureoi0dwoi.com | tcp |
Files
memory/2148-0-0x0000000000000000-mapping.dmp
memory/2904-1-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\s1no.0
| MD5 | 99b6dca5b8e85e916e684197b696383e |
| SHA1 | ed553c8952859ab355cb27df3f78b38b6758ed23 |
| SHA256 | 71880236ed275d8a0d1290636efe14ddc265fc4cad5797f20ebcf2e35ac9798d |
| SHA512 | debec520c220ce47f34d3ced6d0b86421b230deb28a40b48ed37da167e21d617a3d78b4b7020d31fd1b634197aef91e73572d56eb5063f0b0b70355c188e8f2f |