Analysis

  • max time kernel
    37s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:07

General

  • Target

    sfzs5.cab.dll

  • Size

    557KB

  • MD5

    ee92989c475e352b88f46663f59b30ea

  • SHA1

    29a5cba4725eae89d4d94ddfd2767cddeb93f7be

  • SHA256

    8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0

  • SHA512

    095c7fed4b273bc657cbd12fa46e790be005391cf56579326e46c2d5e5ea2de33b7e0d56c60c80a58865c1f582acc98a0a6dd65e28f862f045f8d6fbabc9a335

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_
        3⤵
          PID:4236
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:836

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\DB_TGfNqo.RJFl_

        MD5

        2207304e71add81999c26eaa15ebbe18

        SHA1

        68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20

        SHA256

        d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c

        SHA512

        589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8

      • memory/4236-1-0x0000000000000000-mapping.dmp

      • memory/4824-0-0x0000000000000000-mapping.dmp