Analysis

  • max time kernel
    123s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:42

General

  • Target

    0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

  • Size

    382KB

  • MD5

    f8c131d55f8d6c2d1b9dba2b6d8def24

  • SHA1

    435ec42fefc05eba0a8005256c815979877d430a

  • SHA256

    0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5

  • SHA512

    b542436917b9c9409f1c0b6349bb744c40431ccb13e9295cc6aa9dcb6bc2867074f0de01b8f89b1d51d761a0dd869d171599d61ff8b4304bbe57fa2f46575dcd

Score
10/10

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s3ps.0 "
        3⤵
          PID:5060
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:744
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1168
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1392

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\s3ps.0

            MD5

            470d495e3be204a63d434cba9c2ad2d0

            SHA1

            93d22f0756e4dfb0c63973e78a20cef5c0144951

            SHA256

            cf18ccb923e1963d6df938f7fdb9c70277d19a0069f83d1c17b66bac06d672a6

            SHA512

            86983ccec99bb4cff1bbbb40b0bc74129b72d8e6a23e9e7e2cb5ae2b16d2743de62ac801616321791c3b7e444f17547d1a96f3bd17d91f50454ace8445fa3c74

          • memory/4816-0-0x0000000000000000-mapping.dmp

          • memory/5060-1-0x0000000000000000-mapping.dmp