Analysis
-
max time kernel
50s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Valak (4).cab.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Valak (4).cab.dll
-
Size
288KB
-
MD5
3c70b822d582b69bd73c95972456fcc0
-
SHA1
3e237189fc93b533b244e38f28febede60451171
-
SHA256
d656774897240bb30faada488a1f2fe89a4bb36421bf07cea3accfb83a13efd1
-
SHA512
ee023b7ef4a821d25dd2f47bb12a325908baa974ed6832b8c7ec5a95d83358ad50f5e36ed11f04fd0d49142e0fa48313cd2f589e82b19dcd93daedd066177a5b
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1908 596 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1236 1908 rundll32.exe wscript.exe PID 1908 wrote to memory of 1236 1908 rundll32.exe wscript.exe PID 1908 wrote to memory of 1236 1908 rundll32.exe wscript.exe PID 1908 wrote to memory of 1236 1908 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (4).cab.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Valak (4).cab.dll",#12⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1236
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:792
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41