c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387

Analysis

max time kernel
154s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Size

14KB
MD5

41d37ea07c5237c87ef69336b1e530be
SHA1

1b7e9517327c5dd0d22a46f6728e81936c4a41fa
SHA256

c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387
SHA512

73390d5b51fc5f2f227c562c38c131ff10205b9c6df10cc8cf44375aa8a348a5140f94e5766c22dba556a2c2eac53d525af6deacf3a43e26a565454cfc1ac086
SSDEEP

384:CcfGqHxrz554Ep/oehlanftPzY1RkeZ+JC:C8GOxrX4E9llanfF01RkY+J

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
912	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\MaxWait = "1"	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\zmakjuui = 6249c054892501535462	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\DllName = "C:\\Users\\Admin\\AppData\\Local\\kdufroa.dll"	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\Startup = "kdufroa"	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\Impersonate = "1"	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kdufroa\Asynchronous = "1"	c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe

C:\Users\Admin\AppData\Local\Temp\c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe
"C:\Users\Admin\AppData\Local\Temp\c45eb0f8bcad12ac47566c048e33ab36152b5f8e12f34a0d8b3f7a00d6180387.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\kdufroa.dll

Filesize
15KB

MD5
6116de03384bff7317ba77ef160158b7

SHA1
775177a9acc04d13367b7e1eae0bf5c9e400236f

SHA256
136c16e9d8509fd3c81f17d3853722088a012ee52ea92d297af1bfd226dce9f5

SHA512
2930638603d8252ad8b664ccbe5668f1e1827306f89e32d88aaa7c2657a1a131ad2a066779ab724be51e217d5a38d494cff5017f819bebd5a7ca521bbf09131a

Download Submit
memory/912-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/912-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/912-57-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/912-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/912-59-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download