Analysis
-
max time kernel
144s -
max time network
45s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
frraw7.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
frraw7.dll
Resource
win10v20201028
General
-
Target
frraw7.dll
-
Size
874KB
-
MD5
35d1ffad54d3d7129938762b47509b23
-
SHA1
18e9626cce1bd753de6d3136b9c300aec9ebb210
-
SHA256
58feb0e5a795cf5f8ab9f7478b4f26ce936be728e4fa89fa3408f05049d90f2a
-
SHA512
9ae4dc177120dd3efa08f12b94cf1349b55caa705ee4bfb8e3600ecd05dbf2e07b658abd7d36cdd076fe2068c5f9df1715a3cc4c960a9e93456b3a9fb1aa441e
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\JjeEWeKob.Ut_Aw valak C:\Users\Public\JjeEWeKob.Ut_Aw valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\JjeEWeKob.Ut_Aw js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1068 wrote to memory of 1136 1068 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 624 1136 regsvr32.exe wscript.exe PID 1136 wrote to memory of 624 1136 regsvr32.exe wscript.exe PID 1136 wrote to memory of 624 1136 regsvr32.exe wscript.exe PID 1136 wrote to memory of 624 1136 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\frraw7.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\frraw7.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\JjeEWeKob.Ut_Aw3⤵PID:624
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:472
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ba0750efd6315a327e9a5ef8d7cab931
SHA14f25989d89fc7bf80f6188c3d87dd7ff37783832
SHA256af627a0c52df523397dac39897b03a413bad485cb9e7ed4ad94f4d75a3b018a7
SHA512cf44e1a2a8a5e914745d3b08d4a4820bbce12e2ad19775d67cd86271a768c04f5e8dfee5a674c4eaf3ae35c6c2ea95d04af2b27723c2e115bdf320e50acfd94e