4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e

General

Target

4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Size

255KB
MD5

fa1c3f5777e4b17da86e45555555bd91
SHA1

d52fda3b221e4a3bf65a101fc9b8df955cc8e68a
SHA256

4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e
SHA512

ecc29da9e67eb1ae5b6b131497f5d85bf9e02faeb6a6c5666d18381225b3f80dc7c459b818bfa18ec98fac36e3007b39754eceb81afbb1854be6456b745562e5
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJi:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIB

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	pckdcrlnnt.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pckdcrlnnt.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pckdcrlnnt.exe

Executes dropped EXE 1 IoCs

pid	Process
1020	pckdcrlnnt.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1072-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/memory/1072-57-0x0000000002F80000-0x0000000003020000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x000b0000000122ff-62.dat	upx
behavioral1/files/0x000b0000000122ff-64.dat	upx
behavioral1/files/0x000b0000000122ff-66.dat	upx
behavioral1/files/0x000900000001230d-67.dat	upx
behavioral1/files/0x000900000001230d-69.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1388-73-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1572-72-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1020-70-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\orklnhunlhpgq.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File created	C:\Windows\SysWOW64\pckdcrlnnt.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File opened for modification	C:\Windows\SysWOW64\pckdcrlnnt.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File created	C:\Windows\SysWOW64\yecumutuhqocjjx.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File opened for modification	C:\Windows\SysWOW64\yecumutuhqocjjx.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File created	C:\Windows\SysWOW64\vndgmrtm.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File opened for modification	C:\Windows\SysWOW64\vndgmrtm.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
File created	C:\Windows\SysWOW64\orklnhunlhpgq.exe	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15D4795399E53BAB9D033EAD7CB"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFC482B851D9136D72F7E90BDE3E147593066476342D6EC"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB6FF6E21ADD27ED1D18B7E9016"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77B1490DBC0B8CB7FE0ECE734CB"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7B9C2283206A3F77D270532CA97D8065DD"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFAB1F911F2E5837D3A44819F3E94B0FE038A4367033AE1C442EA09A2"	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe
1020	pckdcrlnnt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1020	1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe	27
PID 1072 wrote to memory of 1020	1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe	27
PID 1072 wrote to memory of 1020	1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe	27
PID 1072 wrote to memory of 1020	1072	4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe	27

C:\Users\Admin\AppData\Local\Temp\4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe
"C:\Users\Admin\AppData\Local\Temp\4b633f0ad75128d4704a03c74f7da62156d0ed236112132dcf76b9d17e4c635e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\pckdcrlnnt.exe
  pckdcrlnnt.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1020
- C:\Windows\SysWOW64\yecumutuhqocjjx.exe
  yecumutuhqocjjx.exe
  2⤵
  PID:1572
- C:\Windows\SysWOW64\vndgmrtm.exe
  vndgmrtm.exe
  2⤵
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pckdcrlnnt.exe

Filesize
14KB

MD5
96a95a97707040b15a4b6551601b39db

SHA1
44afec02bab636c648ab6ddd57bc87ab7b02bf92

SHA256
76a5c1bad34fb6feef57dc25c0a9a94b19819148b3f32a749ec4dab84d2c6b8b

SHA512
27fed0c37d5e3a8c29100b548e6899196d3ce0efa84defa07cd4cc67f56642525688434258c6418c3befff2a854e6b22bc743ca0401f90576da2b0e12b687456

Download Submit
C:\Windows\SysWOW64\pckdcrlnnt.exe

Filesize
28KB

MD5
e28ffec946587743086b35fb9215aed5

SHA1
094a13ec867fbc5973bb8484ad719353b7f95146

SHA256
8045614f5345342b8d2b13667b7cde7529c4b25e663a7bbcee3d648260700a7b

SHA512
b3e6eec5ef221a3e5300d612134fee445a138a5785ba5fb37ff6936c0ec73a77c179552a0b4165462352b302403e7aaa641ef5696b21fab0c05ad34b2c6690b7

Download Submit
C:\Windows\SysWOW64\vndgmrtm.exe

Filesize
37KB

MD5
7fb6ba32bb5e4828c5858b21f2ca089e

SHA1
7ce4d29958f89d56f64af70c31101eb4a3823360

SHA256
5fb4431c3f59eea10f26019956abbb1aa6067c17d4bd73c01c1f4cd155c006d0

SHA512
e6471c78d83c3a5377f452889a3fb3fb0830cfc04b066e21e8cda12b9c0b1da13d348567f836ae59b8f2b91a3b49bd616839c38731696d6b1e36ba166c4508ad

Download Submit
C:\Windows\SysWOW64\yecumutuhqocjjx.exe

Filesize
31KB

MD5
9d337614769c14bd138fa5174453bebf

SHA1
6dc4ca291913f52e975f26c6cc30f550074d825d

SHA256
7d5cbf374adc11589f2d297fa2433857cac85cc2276a606f32746721a11a9a3c

SHA512
ec8e85ecba78d8a6be460d0090fc0bc478994cedb53aba0e4e0b1341dce1211c320f9ecb0c217575128de9c9f125aae35d97f6412b1289060ae80b4ba725c053

Download Submit
C:\Windows\SysWOW64\yecumutuhqocjjx.exe

Filesize
27KB

MD5
48e377764c6986a05c60acb57db2c359

SHA1
22657e8749e80687dd055c8f6ed46dcd7f569a70

SHA256
cd75904c5c8f7027b7e8c51ddd06ed3bb95488e15afafad05d576909f8b01f2b

SHA512
20300529daa14d4bf28b85305a4819666f1fee29853b24772d6fc3859ec80d166d93c814e3f22ecd155feaffe1b32d7d145086e2cb3a1d6f113fa3d70d51630f

Download Submit
\Windows\SysWOW64\pckdcrlnnt.exe

Filesize
45KB

MD5
337a18d216b81fddc81a2cdb698fbde5

SHA1
86a29fdb423d77abd25f54d0d553f94f3465c04e

SHA256
754e97c16efea4e606386835ee0824083d0253c9f8425b25b8bcb949b80c123a

SHA512
c7f66dc8fe288156fa58c618437a20221361f67c7f304fa3f7af5b4572ea3bb5a8010917454d03540ef5cda0abed9cdbd5736d226b9d162c471ca743581e982a

Download Submit
\Windows\SysWOW64\vndgmrtm.exe

Filesize
39KB

MD5
9d1d8816b70a4884945be83831b322cc

SHA1
7534991a2695a5615941ba3a5c750baef8d03930

SHA256
56879f3aa0c5be5140cf4dc9ff31078649ddef100fbe91a494693a562c5a95c7

SHA512
f3abf40d15cba38d8228680f2f2ad9a986d04f15aa458eb1e2764d15fff8df9f57ac07f33c6908e6c231de3fcc3abc8587c112f7391bf6e06a84196d6c15c2eb

Download Submit
\Windows\SysWOW64\yecumutuhqocjjx.exe

Filesize
34KB

MD5
887c613277e22efe1f7310cc8eedab80

SHA1
ac0385c4b72b6007cd62524942c80c41521f2bd8

SHA256
c753d120f7b8d50818173740c68e83f70113eeec76a8490d4af242bfcd6a90df

SHA512
cd9ec850c0aec581a3e0a7a7664966a0b3d271d484de9bde4be792d3d5eb643a60b2f4a1374ba1c5529f2857aa2e01c662c3eaf5ad0d1979d22f8eb80a0eab38

Download Submit
memory/1020-70-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1072-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1072-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1072-71-0x0000000002F80000-0x0000000003020000-memory.dmp

Filesize
640KB

Download
memory/1072-57-0x0000000002F80000-0x0000000003020000-memory.dmp

Filesize
640KB

Download
memory/1388-73-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1572-72-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads