Analysis
-
max time kernel
47s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:14
Static task
static1
Behavioral task
behavioral1
Sample
haao15.cab.exe_.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
haao15.cab.exe_.dll
-
Size
242KB
-
MD5
0274a7ca31ebac9b62ec63a06260407a
-
SHA1
8270c4098810834cf01a14e38c81054bf98cccef
-
SHA256
4069689f46e160bb37d2fed931b8aa255f1cc8df5161ae0f5ed67c6bc3ce545d
-
SHA512
11ec6977bc72d7fb246e12223e544c519d8f4b6437e97438415f6c136dd8e4d67911f30341a08677edb1201fda588d5e56cf1cffe5e2fdd614929849e02a28cc
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\anFJjtYxH.eB_c_ valak C:\Users\Public\anFJjtYxH.eB_c_ valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\anFJjtYxH.eB_c_ js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 336 wrote to memory of 1892 336 rundll32.exe rundll32.exe PID 1892 wrote to memory of 1284 1892 rundll32.exe wscript.exe PID 1892 wrote to memory of 1284 1892 rundll32.exe wscript.exe PID 1892 wrote to memory of 1284 1892 rundll32.exe wscript.exe PID 1892 wrote to memory of 1284 1892 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\haao15.cab.exe_.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\haao15.cab.exe_.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\anFJjtYxH.eB_c_3⤵PID:1284
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1736
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf9cfe46e69997b0d8ac4ffb528ab0df
SHA1399337ad73221675067a85f3251e31042886d536
SHA256395df3a563bc865221738b938998e6a45094f5c396302e4f151631e78aeb9d2d
SHA512f432a42d355d5ac058dd68660b9d0a7bd901eaf3b55fd184b3fb2c7b075523eca7e1262bc757fc2600934112fde781823d721a32754f87f6501f487b36b10fa9