Analysis

  • max time kernel
    133s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:42

General

  • Target

    0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

  • Size

    382KB

  • MD5

    f8c131d55f8d6c2d1b9dba2b6d8def24

  • SHA1

    435ec42fefc05eba0a8005256c815979877d430a

  • SHA256

    0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5

  • SHA512

    b542436917b9c9409f1c0b6349bb744c40431ccb13e9295cc6aa9dcb6bc2867074f0de01b8f89b1d51d761a0dd869d171599d61ff8b4304bbe57fa2f46575dcd

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\syg.0 "
        3⤵
          PID:1292
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:684
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:328

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\syg.0

          MD5

          470d495e3be204a63d434cba9c2ad2d0

          SHA1

          93d22f0756e4dfb0c63973e78a20cef5c0144951

          SHA256

          cf18ccb923e1963d6df938f7fdb9c70277d19a0069f83d1c17b66bac06d672a6

          SHA512

          86983ccec99bb4cff1bbbb40b0bc74129b72d8e6a23e9e7e2cb5ae2b16d2743de62ac801616321791c3b7e444f17547d1a96f3bd17d91f50454ace8445fa3c74

        • memory/1240-0-0x0000000000000000-mapping.dmp

        • memory/1292-1-0x0000000000000000-mapping.dmp

        • memory/1292-3-0x0000000002770000-0x0000000002774000-memory.dmp

          Filesize

          16KB