Malware Analysis Report

2024-11-13 16:55

Sample ID 201109-jce4d72f6x
Target 0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5
SHA256 0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5

Threat Level: Known bad

The file 0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5 was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak JavaScript Loader

Valak family

Valak

JavaScript code in executable

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:42

Signatures

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Valak family

valak

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:42

Reported

2020-11-10 23:32

Platform

win7v20201028

Max time kernel

133s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\syg.0 "

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/1240-0-0x0000000000000000-mapping.dmp

memory/1292-1-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\syg.0

MD5 470d495e3be204a63d434cba9c2ad2d0
SHA1 93d22f0756e4dfb0c63973e78a20cef5c0144951
SHA256 cf18ccb923e1963d6df938f7fdb9c70277d19a0069f83d1c17b66bac06d672a6
SHA512 86983ccec99bb4cff1bbbb40b0bc74129b72d8e6a23e9e7e2cb5ae2b16d2743de62ac801616321791c3b7e444f17547d1a96f3bd17d91f50454ace8445fa3c74

memory/1292-3-0x0000000002770000-0x0000000002774000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:42

Reported

2020-11-10 23:32

Platform

win10v20201028

Max time kernel

123s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 4816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 4816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4816 wrote to memory of 5060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 4816 wrote to memory of 5060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe
PID 4816 wrote to memory of 5060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0387ab464a28a94f88f1689a34c69924938b784c13af830b59af0efd6fbb2ea5.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Admin\AppData\Local\Temp\s3ps.0 "

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/4816-0-0x0000000000000000-mapping.dmp

memory/5060-1-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s3ps.0

MD5 470d495e3be204a63d434cba9c2ad2d0
SHA1 93d22f0756e4dfb0c63973e78a20cef5c0144951
SHA256 cf18ccb923e1963d6df938f7fdb9c70277d19a0069f83d1c17b66bac06d672a6
SHA512 86983ccec99bb4cff1bbbb40b0bc74129b72d8e6a23e9e7e2cb5ae2b16d2743de62ac801616321791c3b7e444f17547d1a96f3bd17d91f50454ace8445fa3c74