Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Agent.ESBE.10784.16586.dll
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Agent.ESBE.10784.16586.dll
-
Size
289KB
-
MD5
fc480a72e6482e65a429ffab8362add6
-
SHA1
415d5c5d4a51f51be3245780214d45b9a14cfae6
-
SHA256
e69d73208d67db59d8d02c8982426a97a3f76dc2174f15f1fab53f4473310f04
-
SHA512
e507c4d8a504f9ad09b85f1ebdd0a83ca876a4fd2e3a431612029bfbaae3117809291b030c47fb7cb45116f8307582f19b9ed2037d59dd4a6a8ebd979f2474be
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak C:\Users\Public\CCGYPWTwr.iySAE valak_js -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE js -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1632 288 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1344 1632 rundll32.exe wscript.exe PID 1632 wrote to memory of 1344 1632 rundll32.exe wscript.exe PID 1632 wrote to memory of 1344 1632 rundll32.exe wscript.exe PID 1632 wrote to memory of 1344 1632 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.10784.16586.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.ESBE.10784.16586.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE3⤵PID:1344
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:540
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6df4cb0a89bdabcf858e7e407e3975f5
SHA1f41a9efe9f3cdce394893d90f564bb26e3cdd494
SHA256c65b67bfe6a5acf6ebfb7f327a6ce8f93bfe5ec579fe783f611a73ce031f7232
SHA512a49817c5b27a75263a57398a17f838e935660d554e6b36d8e11ec20817fd08b532851b527c7255d50556d85e1fa985ed0d766d7103f6178ab8ef8bab561b1a41