Analysis
-
max time kernel
54s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Valak (8).cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Valak (8).cab.dll
-
Size
288KB
-
MD5
952db9c600d714d03b4edf0a0843a3ee
-
SHA1
ff1d6f2b20eba0ddb874871a1c0ca12ade9e1afe
-
SHA256
b1e5983b2cb7e5b79e15dfbf0c2264f590910cec07c3bf7696b85c89160602f5
-
SHA512
3b72a5244068a0c462f7710363a8e1af196c02243098b77ea75e0203f5bd30d527750d888f4d884174b14983548a24eda188bf310e29523482dfcab93f8a54ef
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1376 1900 rundll32.exe rundll32.exe PID 1376 wrote to memory of 1584 1376 rundll32.exe wscript.exe PID 1376 wrote to memory of 1584 1376 rundll32.exe wscript.exe PID 1376 wrote to memory of 1584 1376 rundll32.exe wscript.exe PID 1376 wrote to memory of 1584 1376 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (8).cab.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (8).cab.dll",#12⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1584
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1096
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41