Analysis

  • max time kernel
    74s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:07

General

  • Target

    sfzs5.cab.dll

  • Size

    557KB

  • MD5

    ee92989c475e352b88f46663f59b30ea

  • SHA1

    29a5cba4725eae89d4d94ddfd2767cddeb93f7be

  • SHA256

    8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0

  • SHA512

    095c7fed4b273bc657cbd12fa46e790be005391cf56579326e46c2d5e5ea2de33b7e0d56c60c80a58865c1f582acc98a0a6dd65e28f862f045f8d6fbabc9a335

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_
        3⤵
          PID:1424
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:788

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\DB_TGfNqo.RJFl_

        MD5

        2207304e71add81999c26eaa15ebbe18

        SHA1

        68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20

        SHA256

        d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c

        SHA512

        589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8

      • memory/1424-1-0x0000000000000000-mapping.dmp

      • memory/1424-3-0x0000000002700000-0x0000000002704000-memory.dmp

        Filesize

        16KB

      • memory/2008-0-0x0000000000000000-mapping.dmp