Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-04-2021 09:59
Static task
static1
Behavioral task
behavioral1
Sample
qak.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
qak.dll
-
Size
724KB
-
MD5
fd2bfb40411f1a921026a84e8352c242
-
SHA1
3de9e0966b1c48bcaf65ee81148b533c57a2c943
-
SHA256
5b419f5101f112f896c7985936eb331fad6716f7f2ea3a493bfd040390c31463
-
SHA512
8d4ee8a0f9220e56168aaab1e12b1f980dba6e2a9add33459d02aca9aae161378de1ae8206c3d431207f7f0405071c001cd2a5c2e9579f33800c1cdbc52b9db0
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 512 2172 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 2172 rundll32.exe 2172 rundll32.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe 512 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 512 WerFault.exe Token: SeBackupPrivilege 512 WerFault.exe Token: SeDebugPrivilege 512 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1040 wrote to memory of 2172 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 2172 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 2172 1040 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qak.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 7083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken