Analysis

  • max time kernel
    160s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:32

General

  • Target

    3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll

  • Size

    304KB

  • MD5

    03548d46adf65abe05b9da64b08b8258

  • SHA1

    851319fd8d8a50f6c0c205a58314853ef9d52529

  • SHA256

    3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a

  • SHA512

    f74701533a6a931640d8cd5ca983356ca32351a88dbf283308c9baefad5cd333060ae5a1acaa4071a2de368465795bbb453326b75ac91fb3fa3e7b3f7e5c55d4

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Sets service image path in registry 2 TTPs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
        3⤵
        • Blocklisted process makes network request
        PID:3804
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 713e508236bbece952d0e8d1319883eb v3ZlOpwF30iFnWPJhhsB+A.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1596
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:2136
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:988
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:2968

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\iVIwVADQD.eLxan

          MD5

          bc9ac467126926bfd2782428da6f1a09

          SHA1

          f9d6fbc917446025fb63cc622a117a11544ce34b

          SHA256

          0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

          SHA512

          f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

        • memory/1304-131-0x0000000010000000-0x0000000010151000-memory.dmp

          Filesize

          1.3MB

        • memory/1304-130-0x0000000010000000-0x000000001001B000-memory.dmp

          Filesize

          108KB

        • memory/1304-133-0x0000000002690000-0x0000000002691000-memory.dmp

          Filesize

          4KB