Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll
Resource
win10v2004-en-20220112
General
-
Target
3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll
-
Size
304KB
-
MD5
03548d46adf65abe05b9da64b08b8258
-
SHA1
851319fd8d8a50f6c0c205a58314853ef9d52529
-
SHA256
3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a
-
SHA512
f74701533a6a931640d8cd5ca983356ca32351a88dbf283308c9baefad5cd333060ae5a1acaa4071a2de368465795bbb453326b75ac91fb3fa3e7b3f7e5c55d4
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\iVIwVADQD.eLxan valak C:\Users\Public\iVIwVADQD.eLxan valak_js -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 5 1400 wscript.exe 8 1400 wscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 608 1044 rundll32.exe rundll32.exe PID 608 wrote to memory of 1400 608 rundll32.exe wscript.exe PID 608 wrote to memory of 1400 608 rundll32.exe wscript.exe PID 608 wrote to memory of 1400 608 rundll32.exe wscript.exe PID 608 wrote to memory of 1400 608 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan3⤵
- Blocklisted process makes network request
PID:1400
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1892
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bc9ac467126926bfd2782428da6f1a09
SHA1f9d6fbc917446025fb63cc622a117a11544ce34b
SHA2560eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9
SHA512f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c