Analysis
-
max time kernel
146s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:33
Static task
static1
Behavioral task
behavioral1
Sample
3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll
Resource
win10v2004-en-20220112
General
-
Target
3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll
-
Size
523KB
-
MD5
95f48e694a8beb8fd3a21a0b7ce73aa6
-
SHA1
6b5e94e8f94905be32eabc56ebf91ebd818dc61a
-
SHA256
3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8
-
SHA512
ac8df20bbbc36a77ef795ce047b942d3f0543f4baf92f4b9bf1df5ab8a31e6360c28c496ffbbda79c28408107d9fe9df4912ffd7cf25a532ce439ccd386b00a2
Malware Config
Signatures
-
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\xSsGKcUqL.vA_YV valak C:\Users\Public\xSsGKcUqL.vA_YV valak_js -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 5 544 wscript.exe 7 544 wscript.exe 8 544 wscript.exe 10 544 wscript.exe 12 544 wscript.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde wscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1488 wrote to memory of 1492 1488 rundll32.exe rundll32.exe PID 1492 wrote to memory of 544 1492 rundll32.exe wscript.exe PID 1492 wrote to memory of 544 1492 rundll32.exe wscript.exe PID 1492 wrote to memory of 544 1492 rundll32.exe wscript.exe PID 1492 wrote to memory of 544 1492 rundll32.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:544
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bb0250408c43581e7f9977da9c64e36
SHA110bb73ae8b19a28b833daffd8c89041ca9c58dca
SHA256732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543
SHA51253829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a