Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
Resource
win7v20201028
General
-
Target
0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
-
Size
382KB
-
MD5
f8c131d55f8d6c2d1b9dba2b6d8def24
-
SHA1
435ec42fefc05eba0a8005256c815979877d430a
-
SHA256
0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5
-
SHA512
b542436917b9c9409f1c0b6349bb744c40431ccb13e9295cc6aa9dcb6bc2867074f0de01b8f89b1d51d761a0dd869d171599d61ff8b4304bbe57fa2f46575dcd
Malware Config
Signatures
-
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\syg.0 valak -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1240 1916 regsvr32.exe regsvr32.exe PID 1240 wrote to memory of 1292 1240 regsvr32.exe wscript.exe PID 1240 wrote to memory of 1292 1240 regsvr32.exe wscript.exe PID 1240 wrote to memory of 1292 1240 regsvr32.exe wscript.exe PID 1240 wrote to memory of 1292 1240 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\syg.0 "3⤵PID:1292
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:684
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:328
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
470d495e3be204a63d434cba9c2ad2d0
SHA193d22f0756e4dfb0c63973e78a20cef5c0144951
SHA256cf18ccb923e1963d6df938f7fdb9c70277d19a0069f83d1c17b66bac06d672a6
SHA51286983ccec99bb4cff1bbbb40b0bc74129b72d8e6a23e9e7e2cb5ae2b16d2743de62ac801616321791c3b7e444f17547d1a96f3bd17d91f50454ace8445fa3c74