valak | 2c98f53860dea50bae2bd50c1e84fe44f7d94df0a756d79ad6bbdc778948e683

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 20:32

Target

92eeeba062b887fb60a664de550ca5aa.dll
Size

248KB
MD5

92eeeba062b887fb60a664de550ca5aa
SHA1

e422797e5e3cc8bd3dcbc7bc338f5e7f15d3d6eb
SHA256

2c98f53860dea50bae2bd50c1e84fe44f7d94df0a756d79ad6bbdc778948e683
SHA512

3d8a66423748cffbfb8e08e92037230403af0087dcddc16749eb438a37459def790e4d7bbd21b7ba6c8193efe173bc8d14e100cc43723808091826826cc4cbcf
SSDEEP

6144:7sZV/WeuAci2Fe1Eu9DB5aFRBS6KnvXM3oIFt0dw5B8tAe:7sWeuAcLerWFXS6KvcoIn0a5OtAe

Score

10^/10

valak loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
loader valak

Valak JavaScript Loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\styARQqjL.nmKvY	valak_js

Valak JavaScript loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\styARQqjL.nmKvY	valak

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

50 3200 wscript.exe
53 3200 wscript.exe
60 3200 wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4320 wrote to memory of 1504	4320	rundll32.exe	rundll32.exe
PID 4320 wrote to memory of 1504	4320	rundll32.exe	rundll32.exe
PID 4320 wrote to memory of 1504	4320	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 3200	1504	rundll32.exe	wscript.exe
PID 1504 wrote to memory of 3200	1504	rundll32.exe	wscript.exe
PID 1504 wrote to memory of 3200	1504	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92eeeba062b887fb60a664de550ca5aa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92eeeba062b887fb60a664de550ca5aa.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\styARQqjL.nmKvY
3⤵
- Blocklisted process makes network request
PID:3200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3248

C:\Users\Public\styARQqjL.nmKvY

Filesize
13KB

MD5
65fed9e5ba48663004a86ddbf114efd3

SHA1
579d59754e802876c2568805b5c10da4dd3db948

SHA256
97b2ace5522dc0c034ecc7bdb214690f4e8477dab75b8ca8a4e8c38d3131962a

SHA512
716f374d9b3aff74d44aa1586479b4a6dfa8645b98c7efec7abce063b3a0bf8565980567b7c99595abeb385815471ef857adec5a0f2a55b7e96b38ab70b0622b

Download Submit
memory/1504-0-0x0000000074E10000-0x0000000074E68000-memory.dmp

Filesize
352KB

Download
memory/1504-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download