Malware Analysis Report

2024-11-15 09:08

Sample ID 201109-tq8wgtnj1n
Target frraw7.dll
SHA256 58feb0e5a795cf5f8ab9f7478b4f26ce936be728e4fa89fa3408f05049d90f2a
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58feb0e5a795cf5f8ab9f7478b4f26ce936be728e4fa89fa3408f05049d90f2a

Threat Level: Known bad

The file frraw7.dll was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak

Valak JavaScript Loader

JavaScript code in executable

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:04

Reported

2020-11-10 05:29

Platform

win7v20201028

Max time kernel

144s

Max time network

45s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\JjeEWeKob.Ut_Aw

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/1136-0-0x0000000000000000-mapping.dmp

memory/624-1-0x0000000000000000-mapping.dmp

C:\Users\Public\JjeEWeKob.Ut_Aw

MD5 ba0750efd6315a327e9a5ef8d7cab931
SHA1 4f25989d89fc7bf80f6188c3d87dd7ff37783832
SHA256 af627a0c52df523397dac39897b03a413bad485cb9e7ed4ad94f4d75a3b018a7
SHA512 cf44e1a2a8a5e914745d3b08d4a4820bbce12e2ad19775d67cd86271a768c04f5e8dfee5a674c4eaf3ae35c6c2ea95d04af2b27723c2e115bdf320e50acfd94e

memory/624-3-0x00000000025A0000-0x00000000025A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:04

Reported

2020-11-10 05:30

Platform

win10v20201028

Max time kernel

1s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3408 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3408 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\frraw7.dll

Network

Country Destination Domain Proto
N/A 52.109.12.18:443 tcp

Files

memory/856-0-0x0000000000000000-mapping.dmp