Analysis
-
max time kernel
163s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll
Resource
win7-20220414-en
General
-
Target
4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll
-
Size
191KB
-
MD5
3c333422b46165447cc4ba0b720bbd44
-
SHA1
557cdb8345666fe7095a91f26c4f0c8dc99e637f
-
SHA256
4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1
-
SHA512
401191df089503c2ca15708ff7cee83f132296dce585330572833390f29e79a567fd5501510f68ff894a549d2f741d4b24035391999632a08a537d0563ef69e9
Malware Config
Signatures
-
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Public\mZAMEJmgn.sJBjU valak_js -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 6 1144 wscript.exe 8 1144 wscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 948 wrote to memory of 1488 948 regsvr32.exe regsvr32.exe PID 1488 wrote to memory of 1144 1488 regsvr32.exe wscript.exe PID 1488 wrote to memory of 1144 1488 regsvr32.exe wscript.exe PID 1488 wrote to memory of 1144 1488 regsvr32.exe wscript.exe PID 1488 wrote to memory of 1144 1488 regsvr32.exe wscript.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\mZAMEJmgn.sJBjU3⤵
- Blocklisted process makes network request
PID:1144
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1312
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD56d49c20a8624eadb095a88642bd4b415
SHA160656c1474221b72f914ca5575c96f1144d11894
SHA25658d3c3d8eac234361e5bc866d0c144b04f134381eb409d594ba98fd6f588dcac
SHA51247b9b9695a5c8b95df12f2ed0c5d8895835a4b0807e82f0c3495e9166febfce19b3cb375ffa750cafce5b087509dc9e43b4a3278b080211f45f76041b8f2a654