Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Valak (9).cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Valak (9).cab.dll
-
Size
288KB
-
MD5
bb52d85f3b3aafaf047f3e9a5b1c5f06
-
SHA1
75c71f7dd579c9ac1d6c1d1bcf69753021390f5c
-
SHA256
e4093649633b05316196a275bd0845829d0e9a63a78943977f96770b3e74a7f1
-
SHA512
b19c3dd1703f5a042e87d6902353ef1560714c37c06d47859c966803e59752f2b1b78484a891eeeeea4d6d15901d0f0e5a222b5a74b1b264d46f6d3d15b9c2ce
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1628 wrote to memory of 856 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 856 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 856 1628 rundll32.exe rundll32.exe PID 856 wrote to memory of 2280 856 rundll32.exe wscript.exe PID 856 wrote to memory of 2280 856 rundll32.exe wscript.exe PID 856 wrote to memory of 2280 856 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (9).cab.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (9).cab.dll",#12⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:2280
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1404
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41