valak | 313dc38bada29a700a34ec2c11e61f6f3edb7e031e134afbd8bca668b494b599

General

Target

313dc38bada29a700a34ec2c11e61f6f3edb7e031e134afbd8bca668b494b599.dll
Size

583KB
MD5

25f1acad71927d1f4f8559a75bb6319a
SHA1

33425c95c8d1cdfc5c244078fd799ca765fd6dc8
SHA256

313dc38bada29a700a34ec2c11e61f6f3edb7e031e134afbd8bca668b494b599
SHA512

5592b2cd5e5800f001e431f4d3eabeafeb80a4a53c83f6c42eb91fbf3e9f8db1d2d215a3a3701620ddb3d45616f9f8501993c5bb857285e0bcdab6270c0e6ca3

Score

10^/10

valak Loader

Malware Config

Signatures

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\xSsGKcUqL.vA_YV	valak
C:\Users\Public\xSsGKcUqL.vA_YV	valak_js

Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

5 1328 wscript.exe
7 1328 wscript.exe
8 1328 wscript.exe
10 1328 wscript.exe
12 1328 wscript.exe

flow	pid	process
5	1328	wscript.exe
7	1328	wscript.exe
8	1328	wscript.exe
10	1328	wscript.exe
12	1328	wscript.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wscript.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1328	1560	rundll32.exe	wscript.exe
PID 1560 wrote to memory of 1328	1560	rundll32.exe	wscript.exe
PID 1560 wrote to memory of 1328	1560	rundll32.exe	wscript.exe
PID 1560 wrote to memory of 1328	1560	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\313dc38bada29a700a34ec2c11e61f6f3edb7e031e134afbd8bca668b494b599.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\313dc38bada29a700a34ec2c11e61f6f3edb7e031e134afbd8bca668b494b599.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\xSsGKcUqL.vA_YV
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xSsGKcUqL.vA_YV

MD5
9bb0250408c43581e7f9977da9c64e36

SHA1
10bb73ae8b19a28b833daffd8c89041ca9c58dca

SHA256
732a56132c0ec98955de6f53cd6e5ed9d15bcb3ebc42a9f43e0a8b399c496543

SHA512
53829569b9737511a18e77f219b91d1681b858ccf0ed5e9bcffb6fe5caf909be7807902681dfb99825bdb7bec9cbd8b840cce945670b69795db3d851f1df442a

Download Submit
memory/1560-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download
memory/1560-56-0x0000000074F40000-0x0000000074FE5000-memory.dmp

Filesize
660KB

Download
memory/1560-55-0x0000000074F40000-0x0000000074F5B000-memory.dmp

Filesize
108KB

Download
memory/1560-58-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads