Analysis
-
max time kernel
49s -
max time network
49s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
qak.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
qak.dll
-
Size
1.0MB
-
MD5
15d5676f003f8a48062ab16379e1149b
-
SHA1
a6afc5d0564a911af2f6b0bb81f50bc82d7da464
-
SHA256
86d4ff6b8e90c20ddf020af1e45e5d2403e80285565290678c634e312df17f43
-
SHA512
d064a96473e08d9d4720a17de0ecd57afed3d167c3f45458e37d8e204b6d3df9613fe8d3378ea4e4a97e801e4f018df30c6368ba3be296c85bd22996ec1a086d
Score
8/10
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2492 3012 WerFault.exe rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2492 WerFault.exe Token: SeBackupPrivilege 2492 WerFault.exe Token: SeDebugPrivilege 2492 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 1488 LogonUI.exe 1488 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3564 wrote to memory of 3012 3564 rundll32.exe rundll32.exe PID 3564 wrote to memory of 3012 3564 rundll32.exe rundll32.exe PID 3564 wrote to memory of 3012 3564 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad4055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx