Malware Analysis Report

2024-11-13 16:56

Sample ID 220201-mlc7jachgm
Target 3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a
SHA256 3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a
Tags
valak Loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a

Threat Level: Known bad

The file 3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a was found to be: Known bad.

Malicious Activity Summary

valak Loader persistence

Valak

Valak JavaScript Loader

Sets service image path in registry

Blocklisted process makes network request

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-01 10:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-01 10:32

Reported

2022-02-01 10:36

Platform

win7-en-20211208

Max time kernel

153s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 az361816.vo.msecnd.net udp
US 72.21.81.200:80 az361816.vo.msecnd.net tcp
US 8.8.8.8:53 msnbot-207-46-194-33.search.msn.com udp
US 8.8.8.8:53 ec.atdmt.com udp
US 72.21.81.200:80 ec.atdmt.com tcp

Files

memory/608-54-0x0000000076001000-0x0000000076003000-memory.dmp

memory/608-55-0x0000000010000000-0x000000001001B000-memory.dmp

memory/608-56-0x0000000010000000-0x0000000010151000-memory.dmp

memory/608-58-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Public\iVIwVADQD.eLxan

MD5 bc9ac467126926bfd2782428da6f1a09
SHA1 f9d6fbc917446025fb63cc622a117a11544ce34b
SHA256 0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9
SHA512 f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-01 10:32

Reported

2022-02-01 10:35

Platform

win10v2004-en-20220112

Max time kernel

160s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Sets service image path in registry

persistence

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3504 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3504 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 3804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 1304 wrote to memory of 3804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 1304 wrote to memory of 3804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7edc6b378860d916e7889ba553d1fd467c905672893a0fd51357cd1a1f2b8a.dll,#1

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 713e508236bbece952d0e8d1319883eb v3ZlOpwF30iFnWPJhhsB+A.0.1.0.0.0

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p

Network

Country Destination Domain Proto
NL 13.69.109.130:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
N/A 127.0.0.1:5985 tcp
US 8.8.8.8:53 az361816.vo.msecnd.net udp
US 72.21.81.200:80 az361816.vo.msecnd.net tcp
US 8.8.8.8:53 msnbot-207-46-194-33.search.msn.com udp
US 8.8.8.8:53 ec.atdmt.com udp
US 72.21.81.200:80 ec.atdmt.com tcp

Files

memory/1304-131-0x0000000010000000-0x0000000010151000-memory.dmp

memory/1304-130-0x0000000010000000-0x000000001001B000-memory.dmp

memory/1304-133-0x0000000002690000-0x0000000002691000-memory.dmp

C:\Users\Public\iVIwVADQD.eLxan

MD5 bc9ac467126926bfd2782428da6f1a09
SHA1 f9d6fbc917446025fb63cc622a117a11544ce34b
SHA256 0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9
SHA512 f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c