Analysis
-
max time kernel
74s -
max time network
77s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:07
Static task
static1
Behavioral task
behavioral1
Sample
sfzs5.cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
sfzs5.cab.dll
-
Size
557KB
-
MD5
ee92989c475e352b88f46663f59b30ea
-
SHA1
29a5cba4725eae89d4d94ddfd2767cddeb93f7be
-
SHA256
8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0
-
SHA512
095c7fed4b273bc657cbd12fa46e790be005391cf56579326e46c2d5e5ea2de33b7e0d56c60c80a58865c1f582acc98a0a6dd65e28f862f045f8d6fbabc9a335
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\DB_TGfNqo.RJFl_ valak C:\Users\Public\DB_TGfNqo.RJFl_ valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\DB_TGfNqo.RJFl_ js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 1804 wrote to memory of 2008 1804 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1424 2008 rundll32.exe wscript.exe PID 2008 wrote to memory of 1424 2008 rundll32.exe wscript.exe PID 2008 wrote to memory of 1424 2008 rundll32.exe wscript.exe PID 2008 wrote to memory of 1424 2008 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_3⤵PID:1424
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:788
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2207304e71add81999c26eaa15ebbe18
SHA168a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20
SHA256d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c
SHA512589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8