Windows Analysis Report
YY#U6302#U53f7#U534f#U8bae.exe

Overview

General Information

Sample name: YY#U6302#U53f7#U534f#U8bae.exe
renamed because original name is a hash value
Original sample name: YY.exe
Analysis ID: 1457838
MD5: 765cf453d0cea3719b619e4c55881093
SHA1: 060ae0476bbd908d08537c8b6bb24d2ec83d524c
SHA256: 3d76cc27be3265077a5c15f2c76848b73148df035b7d3a3d2b9ad77232587cfd
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Detected VMProtect packer
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: YY#U6302#U53f7#U534f#U8bae.exe Virustotal: Detection: 50% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for sample
Source: YY#U6302#U53f7#U534f#U8bae.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: \iext_fnr.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Source: Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \iext_fnr.pdbM source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFC5C0 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_6CEFC5C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFC790 FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,lstrlenA, 0_2_6CEFC790
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000003.1699125254.0000000001351000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://120.26.95.191:5658/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://120.26.95.191:5659/
Source: iext1.fnr.bbs.125.la.0.dr String found in binary or memory: http://bbs.125.la/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://channel.yy.com/ajax/member/indexAction
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://do-dw.yy.com/user.php?sids=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://hgame.yy.com/action/getUserLoginInfo.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://peipei.yy.com/web/account/internal/account/list
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://vip.yy.com/service/web/user/info?_time=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://vip.yy.com/service/web/user/info?_time=vipLevel
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://vip.yy.com/vip/vcard/indexrest?_time=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/V
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.uc.cn/ip
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.uc.cn/ipIP:http://
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.yy.com/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.yy.com/search-
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.yy.com/sid
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr String found in binary or memory: https://bbs.125.la/thread-14738139-1-1.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://captcha.yy.com/baidu/submit.do?appid=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://captcha.yy.com/baidu/submit.do?appid=obj
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://hgame.yy.com/person/p_account
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://iexui.com/downexui
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://nfnba.lanzoub.com/ietaw0udyhid
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://passport.baidu.com/viewlog/getstyle?ak=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://passport.baidu.com/viewlog?ak=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.dmdaili.com/yaoqing/33405.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.xiequ.cn/index.html?dc1bbee2
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.yy.com/gu/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.yy.com/u/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.yy.com/zone/assets/total.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.yy.com/zone/userinfo/getUserInfo.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://yyfkw.cn
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://yyfkw.cn999https://nfnba.lanzoub.com/ietaw0udyhid

System Summary
barindex
Detected VMProtect packer
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: .vmp0 and .vmp1 section names
Detected potential crypto function
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_00401770 0_2_00401770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF03D60 0_2_6CF03D60
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF03060 0_2_6CF03060
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF25CA0 0_2_6CF25CA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF56C8E 0_2_6CF56C8E
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF08C70 0_2_6CF08C70
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF27D80 0_2_6CF27D80
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF58D78 0_2_6CF58D78
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF04EB0 0_2_6CF04EB0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF32EA0 0_2_6CF32EA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF29E30 0_2_6CF29E30
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF30E30 0_2_6CF30E30
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF22F50 0_2_6CF22F50
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF0AF40 0_2_6CF0AF40
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF28F20 0_2_6CF28F20
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF35F20 0_2_6CF35F20
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF1C860 0_2_6CF1C860
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF42814 0_2_6CF42814
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEF19F0 0_2_6CEF19F0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF24940 0_2_6CF24940
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF32930 0_2_6CF32930
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF0BAE0 0_2_6CF0BAE0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF17A1E 0_2_6CF17A1E
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF1ABC0 0_2_6CF1ABC0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFDB50 0_2_6CEFDB50
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF33B00 0_2_6CF33B00
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF2B4E0 0_2_6CF2B4E0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF424B5 0_2_6CF424B5
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF20400 0_2_6CF20400
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEF4590 0_2_6CEF4590
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF1F560 0_2_6CF1F560
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF5D549 0_2_6CF5D549
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF0C6E0 0_2_6CF0C6E0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEF76D0 0_2_6CEF76D0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF496A7 0_2_6CF496A7
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF2A680 0_2_6CF2A680
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEF3640 0_2_6CEF3640
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF22610 0_2_6CF22610
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF067A0 0_2_6CF067A0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF5C790 0_2_6CF5C790
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFC790 0_2_6CEFC790
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF04770 0_2_6CF04770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF13770 0_2_6CF13770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF4B710 0_2_6CF4B710
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF251C0 0_2_6CF251C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF17180 0_2_6CF17180
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEF5190 0_2_6CEF5190
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: String function: 6CF3C240 appears 47 times
Sample file is different than original file name gathered from version info
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSkinH_EL.dll vs YY#U6302#U53f7#U534f#U8bae.exe
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameExuiKrnl.dll* vs YY#U6302#U53f7#U534f#U8bae.exe
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibeay32.dllH vs YY#U6302#U53f7#U534f#U8bae.exe
Uses 32bit PE files
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal60.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 0_2_6CEFAD60
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: YY#U6302#U53f7#U534f#U8bae.exe Virustotal: Detection: 50%
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: udbauthsdk.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Section loaded: wintypes.dll Jump to behavior
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: YY#U6302#U53f7#U534f#U8bae.exe Static file information: File size 4972544 > 1048576
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x4b9000
Source: Binary string: \iext_fnr.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Source: Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \iext_fnr.pdbM source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF03D60 CreateIextInterface,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleFileNameW,_wcsrchr,LoadLibraryW,FreeLibrary,GetModuleHandleW,GetCurrentProcess,ReadProcessMemory,OpenFileMappingW,GetCurrentProcessId,MapViewOfFile,UnmapViewOfFile,CloseHandle,LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6CF03D60
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: section name: .vmp0
Source: YY#U6302#U53f7#U534f#U8bae.exe Static PE information: section name: .vmp1
Source: iext1.fnr.bbs.125.la.0.dr Static PE information: section name: .detourc
Source: iext1.fnr.bbs.125.la.0.dr Static PE information: section name: .detourd
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_00406D9F pushad ; ret 0_2_00406DA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_004065AC push ebx; retf 0_2_004065AD
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF5BFC1 push ecx; ret 0_2_6CF5BFD4
Drops PE files
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la Jump to dropped file
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 0_2_6CEFAD60
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe API coverage: 1.2 %
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFC5C0 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_6CEFC5C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFC790 FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,lstrlenA, 0_2_6CEFC790
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1700974559.000000000131E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF03060 GdiplusStartup,IsDebuggerPresent, 0_2_6CF03060
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 0_2_6CEFAD60
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF03D60 CreateIextInterface,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleFileNameW,_wcsrchr,LoadLibraryW,FreeLibrary,GetModuleHandleW,GetCurrentProcess,ReadProcessMemory,OpenFileMappingW,GetCurrentProcessId,MapViewOfFile,UnmapViewOfFile,CloseHandle,LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6CF03D60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF56124 GetProcessHeap, 0_2_6CF56124
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF3B805 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF3B805
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF44984 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF44984
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF3C469 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF3C469
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ExuiKrnln.dll,Tab_HbitmapLayeredTab_UpdateStateTab_RefreshCallBackTab_NeedUpdateFocusManagementTabDownTab_OLDFocuscontrolTab_WM_DESTROYTab_WM_DESTROY_TRUETab_WM_32879Tab_WM_DESTROY_FALSETab_IsWinControlWM_SIZEIsunicodeTab_GraphicsTab_OldHbitmapICON_1DownlistExShell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF3C285 cpuid 0_2_6CF3C285
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF3C58C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CF3C58C
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe Code function: 0_2_6CF5445D GetTimeZoneInformation, 0_2_6CF5445D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1457838 Sample: YY#U6302#U53f7#U534f#U8bae.exe Startdate: 15/06/2024 Architecture: WINDOWS Score: 60 10 Multi AV Scanner detection for submitted file 2->10 12 Detected VMProtect packer 2->12 14 Machine Learning detection for sample 2->14 16 AI detected suspicious sample 2->16 5 YY#U6302#U53f7#U534f#U8bae.exe 1 2->5         started        process3 file4 8 C:\Users\user\...\iext1.fnr.bbs.125.la, PE32 5->8 dropped
No contacted IP infos