Overview

overview

10

Static

static

1907cb31a7...e9.dll

windows7_x64

10

1907cb31a7...e9.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll

  • Size

    304KB

  • MD5

    ebfdc4d7dde8997830fb7f5fa0f57bb4

  • SHA1

    37fa2d70133adf5af114b15aff803fb52ad597c8

  • SHA256

    1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9

  • SHA512

    1d28659b13ac3646ab80af537be2b8aa290ace1eeca81161e5dc9ee0ddba2a12c241d2f1e240f508322bd338f4b9b9b9e4ff312fc557b2787e320eb6d2d50198

Score
10/10
valakLoaderpersistence

Malware Config

Signatures

  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

    Loadervalak
  • Valak JavaScript Loader 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1907cb31a7cf2b9d72a04bffc54f3c3e586185f52f34c55a9c2801e5f0a3ece9.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
        3⤵
        • Blocklisted process makes network request
        PID:228
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe a89e05b5526d005482e3f2adae7279a3 2URH+vHQFkGkbEY8QnWCgQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2744
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3660
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3852

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\iVIwVADQD.eLxan
        MD5

        bc9ac467126926bfd2782428da6f1a09

        SHA1

        f9d6fbc917446025fb63cc622a117a11544ce34b

        SHA256

        0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

        SHA512

        f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

        Download Submit

      • memory/2100-130-0x0000000010000000-0x000000001001B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2100-131-0x0000000010000000-0x0000000010151000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2100-133-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

        Filesize

        4KB

        Download