Analysis
-
max time kernel
50s -
max time network
30s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Agent.ESBE.10931.26687.dll
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Agent.ESBE.10931.26687.dll
-
Size
289KB
-
MD5
70f8f511f1b80e43d0fc2820d2560dbb
-
SHA1
b7299de306756f6233a203e3afd48a9f8f549a2c
-
SHA256
e392d5a3ab3d10f866705a7c8edc5f76f600bda2783f7c8e848cb8d06fbb04d2
-
SHA512
008b661222a7ec068756ac44e032a3dd431206e1bfaa15d8a579e7b97d2a629c53f17b4c4ba94090fc61282bf3f357d892f000a5414e6cabe6c5725239be9b29
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1860 684 rundll32.exe rundll32.exe PID 1860 wrote to memory of 1104 1860 rundll32.exe wscript.exe PID 1860 wrote to memory of 1104 1860 rundll32.exe wscript.exe PID 1860 wrote to memory of 1104 1860 rundll32.exe wscript.exe PID 1860 wrote to memory of 1104 1860 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.10931.26687.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.10931.26687.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1104
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1128
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41