Windows Analysis Report
yoyo.exe

Overview

General Information

Sample name: yoyo.exe
Analysis ID: 1546036
MD5: 0ced0787f8e64762035adea6c6aff9e2
SHA1: 3f3822cccdd892f20a8535a8137420e4e1b49344
SHA256: 79937a1b5c371c64c42abd995ddc3beff64be580f3f11ece7aceaccf1b306cee
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\yoyo.exe Code function: 0_2_00007FF6BDD115E4 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00007FF6BDD115E4
Source: yoyo.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: yoyo.exe Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteById0, FwpmFilterDestroyEnumHandle0, FwpmFilterEnum0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDeleteByKey0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0
Detected potential crypto function
Source: C:\Users\user\Desktop\yoyo.exe Code function: 0_2_00007FF6BDD19170 0_2_00007FF6BDD19170
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yoyo.exe Code function: String function: 00007FF6BDD11550 appears 50 times
PE file contains more sections than normal
Source: yoyo.exe Static PE information: Number of sections : 18 > 10
Source: classification engine Classification label: sus24.troj.winEXE@6/3@0/0
Source: C:\Users\user\Desktop\yoyo.exe Code function: 0_2_00007FF6BDD12AE8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,CloseHandle, 0_2_00007FF6BDD12AE8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
Source: yoyo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yoyo.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yoyo.exe String found in binary or memory: --help
Source: yoyo.exe String found in binary or memory: --help
Source: yoyo.exe String found in binary or memory: --help
Source: yoyo.exe String found in binary or memory: --help
Source: yoyo.exe String found in binary or memory: 3DRS1l3nc3r.3xe unbl0ck <f1lt3r 1d>-h--helpblockedrblock[-] Missing second argument. Please provide the full path of the process to block.
Source: yoyo.exe String found in binary or memory: 3DRS1l3nc3r.3xe unbl0ck <f1lt3r 1d>-h--helpblockedrblock[-] Missing second argument. Please provide the full path of the process to block.
Source: unknown Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" -install
Source: C:\Users\user\Desktop\yoyo.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" /install
Source: C:\Users\user\Desktop\yoyo.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" /load
Source: C:\Users\user\Desktop\yoyo.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yoyo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: yoyo.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: yoyo.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: yoyo.exe Static PE information: section name: .xdata
Source: yoyo.exe Static PE information: section name: /4
Source: yoyo.exe Static PE information: section name: /19
Source: yoyo.exe Static PE information: section name: /31
Source: yoyo.exe Static PE information: section name: /45
Source: yoyo.exe Static PE information: section name: /57
Source: yoyo.exe Static PE information: section name: /70
Source: yoyo.exe Static PE information: section name: /81
Source: yoyo.exe Static PE information: section name: /92
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\yoyo.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\yoyo.exe API coverage: 7.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\yoyo.exe Code function: 0_2_00007FF6BDD11190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 0_2_00007FF6BDD11190
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546036 Sample: yoyo.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 24 18 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->18 6 yoyo.exe 1 2->6         started        8 yoyo.exe 1 2->8         started        10 yoyo.exe 1 2->10         started        process3 process4 12 conhost.exe 6->12         started        14 conhost.exe 8->14         started        16 conhost.exe 10->16         started       
No contacted IP infos