Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:33

General

  • Target

    3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll

  • Size

    523KB

  • MD5

    95f48e694a8beb8fd3a21a0b7ce73aa6

  • SHA1

    6b5e94e8f94905be32eabc56ebf91ebd818dc61a

  • SHA256

    3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8

  • SHA512

    ac8df20bbbc36a77ef795ce047b942d3f0543f4baf92f4b9bf1df5ab8a31e6360c28c496ffbbda79c28408107d9fe9df4912ffd7cf25a532ce439ccd386b00a2

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Valak JavaScript Loader 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Sets service image path in registry 2 TTPs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a0148e166753487640e4b7d129c3bad7ee3cf8403953b552240d17851bdafc8.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
        3⤵
        • Blocklisted process makes network request
        PID:3172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 668
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3212 -ip 3212
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3828
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 8e75806f7b987275505ff6d7aa61987c FHrP0mqSN0m2aVNZ/L2hQQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2928
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3784
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\xSsGKcUqL.vA_YV

        MD5

        9bb0250408c43581e7f9977da9c64e36

        SHA1

        10bb73ae8b19a28b833daffd8c89041ca9c58dca

        SHA256

        732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543

        SHA512

        53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

      • memory/3212-131-0x0000000074E40000-0x0000000074EDE000-memory.dmp

        Filesize

        632KB

      • memory/3212-130-0x0000000074E40000-0x0000000074E5B000-memory.dmp

        Filesize

        108KB

      • memory/3212-133-0x00000000033E0000-0x00000000033E1000-memory.dmp

        Filesize

        4KB