valak | 1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9

Analysis

Target

1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll
Size

304KB
MD5

ebfdc4d7dde8997830fb7f5fa0f57bb4
SHA1

37fa2d70133adf5af114b15aff803fb52ad597c8
SHA256

1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9
SHA512

1d28659b13ac3646ab80af537be2b8aa290ace1eeca81161e5dc9ee0ddba2a12c241d2f1e240f508322bd338f4b9b9b9e4ff312fc557b2787e320eb6d2d50198

Score

10^/10

valak Loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\iVIwVADQD.eLxan	valak
C:\Users\Public\iVIwVADQD.eLxan	valak_js

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

5 760 wscript.exe
8 760 wscript.exe

flow	pid	process
5	760	wscript.exe
8	760	wscript.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1272 wrote to memory of 1428	1272	rundll32.exe	rundll32.exe
PID 1428 wrote to memory of 760	1428	rundll32.exe	wscript.exe
PID 1428 wrote to memory of 760	1428	rundll32.exe	wscript.exe
PID 1428 wrote to memory of 760	1428	rundll32.exe	wscript.exe
PID 1428 wrote to memory of 760	1428	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
3⤵
- Blocklisted process makes network request
PID:760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1180

C:\Users\Public\iVIwVADQD.eLxan

MD5
bc9ac467126926bfd2782428da6f1a09

SHA1
f9d6fbc917446025fb63cc622a117a11544ce34b

SHA256
0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

SHA512
f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

Download Submit
memory/1428-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1428-55-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1428-56-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download
memory/1428-58-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download