Overview

overview

10

Static

static

37931bf2e8...12.dll

windows7_x64

10

37931bf2e8...12.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37931bf2e8518794aaafc7c29903efa029e09674648c5d5930607cb4c1a9b512.dll

  • Size

    304KB

  • MD5

    0efc35ec0073e056080b9532d64efc4e

  • SHA1

    b6c26d041175a2befb5f5f7047388d01b39af5ec

  • SHA256

    37931bf2e8518794aaafc7c29903efa029e09674648c5d5930607cb4c1a9b512

  • SHA512

    0a02b581f2f595b2aa4891f0196091b707aa8a15cbf820f2c04fab7ac9dac78f5a3197f66622b56a1c22caeaf562f5116b69f7aac0c8c70ac81f11af71ba2697

Score
10/10
valakLoaderpersistence

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

    Loadervalak
  • Valak JavaScript Loader 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\37931bf2e8518794aaafc7c29903efa029e09674648c5d5930607cb4c1a9b512.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\37931bf2e8518794aaafc7c29903efa029e09674648c5d5930607cb4c1a9b512.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
        3⤵
        • Blocklisted process makes network request
        PID:1220
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 350f997083130a827044da54dcbe7214 qgAU9Pk8fkiTQFJmOK/FDg.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:180
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3088
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:796

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\iVIwVADQD.eLxan
        MD5

        bc9ac467126926bfd2782428da6f1a09

        SHA1

        f9d6fbc917446025fb63cc622a117a11544ce34b

        SHA256

        0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

        SHA512

        f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

        Download Submit

      • memory/3008-130-0x0000000010000000-0x000000001001B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3008-131-0x0000000010000000-0x0000000010151000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3008-133-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

        Filesize

        4KB

        Download