Windows Analysis Report yw6At7QnNh

Overview

General Information

Sample Name: yw6At7QnNh (renamed file extension from none to exe)
Analysis ID: 458121
MD5: 8ba293749c97cbf48f30f02c66d3406d
SHA1: 6a7492a26d0a16320daa2cb187232fc0053f4f5f
SHA256: e2075b32b9716dc41ef667a74c1ae2c2841a5b9fd3046db0bdcd96c581778253
Tags: exeuncategorized
Infos:

Most interesting Screenshot:

Detection

ZeusVM
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contain functionality to detect virtual machines
Contains VNC / remote desktop functionality (version string found)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May initialize a security null descriptor
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: yw6At7QnNh.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp Avira: detection malicious, Label: TR/Agent.hjvc
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp ReversingLabs: Detection: 53%
Multi AV Scanner detection for submitted file
Source: yw6At7QnNh.exe Virustotal: Detection: 81% Perma Link
Source: yw6At7QnNh.exe Metadefender: Detection: 60% Perma Link
Source: yw6At7QnNh.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: yw6At7QnNh.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.yw6At7QnNh.exe.10000000.4.unpack Avira: Label: TR/Agent.hjvc
Source: 3.2.yw6At7QnNh.exe.400000.0.unpack Avira: Label: TR/Kazy.MK
Source: 3.1.yw6At7QnNh.exe.400000.0.unpack Avira: Label: TR/Kazy.MK
Source: 1.2.yw6At7QnNh.exe.400000.0.unpack Avira: Label: TR/Agent.hjvc

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_2_00401282 GetModuleFileNameA,GetEnvironmentVariableA,GetEnvironmentVariableA,GetEnvironmentVariableA,FindResourceA,GetDesktopWindow,GetDesktopWindow,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindResourceA,LoadResource,SizeofResource,LockResource,FindResourceA,LoadResource,SizeofResource,??2@YAPAXI@Z,??_U@YAPAXI@Z,LockResource,PathCombineA,PathFileExistsA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,??2@YAPAXI@Z,??_U@YAPAXI@Z,??2@YAPAXI@Z,CryptHashData,CryptDeriveKey,CryptDecrypt,MessageBoxA,??2@YAPAXI@Z,Sleep,GetCommandLineA,CreateFileA,FindCloseChangeNotification,PathCombineA,CreateFileA,CloseHandle,FindExecutableA,DeleteFileA,DeleteFileA,DeleteFileA,Sleep,PathCombineA,DeleteFileA, 2_2_00401282
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040D467 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_0040D467
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00417C71 CryptUnprotectData,LocalFree, 3_2_00417C71
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040D467 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_1_0040D467
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00417C71 CryptUnprotectData,LocalFree, 3_1_00417C71

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Unpacked PE file: 2.2.yw6At7QnNh.exe.400000.0.unpack
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack
Uses 32bit PE files
Source: yw6At7QnNh.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040B8C3 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 3_2_0040B8C3
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040B8C3 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 3_1_0040B8C3
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 3_2_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_2_004118EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 3_1_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_1_004118EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00414047 recv, 3_2_00414047
Source: yw6At7QnNh.exe String found in binary or memory: http://www.google.com/webhp
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp, yw6At7QnNh.exe, 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp String found in binary or memory: http://www.google.com/webhpbcMY.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0041D43B GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore, 3_2_0041D43B
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00409FCC EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 3_2_00409FCC

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0041ADE1 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, 3_2_0041ADE1
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0041ADE1 lstrcmpiA,lstrcmpiA,lstrcmpiA,TlsSetValue,CloseHandle, 3_1_0041ADE1
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040A2BA OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, 3_2_0040A2BA

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_10001000 peagtfosapeh,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread, 1_2_10001000
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_2_00401046 DeleteFileA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread, 2_2_00401046
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_1_00401046 CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread, 2_1_00401046
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_2_004018F0: GetModuleHandleA,??2@YAPAXI@Z,lstrcatA,CreateFileA,DeviceIoControl,isalnum,isalnum,lstrcpyA,lstrcpyA,lstrcpyA,CharUpperA,CharUpperA,CharUpperA,CloseHandle, 2_2_004018F0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040DAE4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 3_2_0040DAE4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00416142 InitiateSystemShutdownExW,ExitWindowsEx, 3_2_00416142
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00413970 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_2_00413970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00416142 InitiateSystemShutdownExW,ExitWindowsEx, 3_1_00416142
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00413970 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_1_00413970
Detected potential crypto function
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_004036E4 1_2_004036E4
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040200B 3_2_0040200B
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040718A 3_2_0040718A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040D373 3_2_0040D373
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040EF15 3_2_0040EF15
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040200B 3_1_0040200B
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040718A 3_1_0040718A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040D373 3_1_0040D373
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040EF15 3_1_0040EF15
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: String function: 00408888 appears 37 times
Sample file is different than original file name gathered from version info
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameTStub.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCwork.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe Binary or memory string: OriginalFilename vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCwork.exe vs yw6At7QnNh.exe
Source: yw6At7QnNh.exe Binary or memory string: OriginalFilenameTStub.exe vs yw6At7QnNh.exe
Uses 32bit PE files
Source: yw6At7QnNh.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: athefff3h6266cd5fa708f.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@5/2@0/0
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh, 1_2_0040105A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_004099A9 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 3_2_004099A9
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00409B1E CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 3_2_00409B1E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_004099A9 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 3_1_004099A9
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00409B1E CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 3_1_00409B1E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040D88E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 3_2_0040D88E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040D88E GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 3_1_0040D88E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040D837 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 3_2_0040D837
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_004179CD CoCreateInstance, 3_2_004179CD
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh, 1_2_0040105A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe File created: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp Jump to behavior
Source: yw6At7QnNh.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yw6At7QnNh.exe Virustotal: Detection: 81%
Source: yw6At7QnNh.exe Metadefender: Detection: 60%
Source: yw6At7QnNh.exe ReversingLabs: Detection: 92%
Source: unknown Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe'
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe' Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe' Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Unpacked PE file: 2.2.yw6At7QnNh.exe.400000.0.unpack
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Unpacked PE file: 3.2.yw6At7QnNh.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh, 1_2_0040105A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_00405450 push eax; ret 1_2_0040547E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_00408888 push eax; ret 1_2_004088A6
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_2_00402550 push eax; ret 2_2_0040257E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 2_1_00402550 push eax; ret 2_1_0040257E
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00402961 push cs; iretd 3_2_00402970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040292B push cs; ret 3_2_00402940
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040B1F7 push ebp; ret 3_2_0040B386
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00402295 push es; iretd 3_2_004022A4
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00402961 push cs; iretd 3_1_00402970
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040292B push cs; ret 3_1_00402940
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_0040B1F7 push ebp; ret 3_1_0040B386
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00402295 push es; iretd 3_1_004022A4

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\yw6At7QnNh.exe File created: C:\Users\user\AppData\Local\Temp\ athefff3h6266cd5fa708f.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040BC07 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 3_2_0040BC07

Malware Analysis System Evasion:

barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: VBOX VBOX QEMU HARDDISK QEMU HARDDISK VMWARE VBOX 2_2_004018F0
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: yw6At7QnNh.exe Binary or memory string: SBIEDLL.DLL
Source: yw6At7QnNh.exe, 00000001.00000002.202804109.0000000000413000.00000004.00020000.sdmp, yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp Binary or memory string: $@RTLDECOMPRESSBUFFERNTDLL.DLLGETTHREADCONTEXTWRITEPROCESSMEMORYVIRTUALALLOCEXNTDLL.DLLNTUNMAPVIEWOFSECTIONCREATEPROCESSARESUMETHREADSETTHREADCONTEXTKERNEL32.DLLOPENMSDEFAULTBROWSER.HTMLYGN3456789MICROSOFT BASE CRYPTOGRAPHIC PROVIDER V1.0APPDATATEMPVIRTUALVMWAREQEMU HARDDISKVMLOGVBOX\\.\CWMONITORSBIEDLL.DLL
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 3_2_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_2_004118EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_00411830 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 3_1_00411830
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_004118EB FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_1_004118EB
Source: yw6At7QnNh.exe, 00000002.00000002.205116569.0000000000400000.00000040.00000001.sdmp Binary or memory string: $@RtlDecompressBufferNtdll.dllGetThreadContextWriteProcessMemoryVirtualAllocExntdll.dllNtUnmapViewOfSectionCreateProcessAResumeThreadSetThreadContextkernel32.dllopenMSDefaultBrowser.htmlYGN3456789Microsoft Base Cryptographic Provider v1.0APPDATATEMPVIRTUALVMWAREQEMU HARDDISKVMLOGVBOX\\.\cwmonitorSbieDll.dll
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: yw6At7QnNh.exe Binary or memory string: QEMU HARDDISK
Source: yw6At7QnNh.exe Binary or memory string: VMWARE
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: yw6At7QnNh.exe, 00000001.00000002.203455259.00000000027D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh, 1_2_0040105A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040105A GetSysColor,GetDoubleClickTime,SetDoubleClickTime,GetTickCount,GetDesktopWindow,GetDesktopWindow,PeekMessageA,PeekMessageA,Sleep,IsWindow,IsDialogMessageA,TranslateMessage,DispatchMessageA,IsDlgButtonChecked,GetDesktopWindow,FindWindowA,SetWindowTextA,LoadLibraryA,GetProcAddress,FindResourceA,IsClipboardFormatAvailable,wsprintfA,LoadResource,SizeofResource,GetLastError,GetCurrentProcess,TerminateProcess,LockResource,GetOpenFileNameA,SetFileAttributesA,LdrInitializeThunk,lstrcmpiA,MessageBoxA,GetClassInfoW,GetSysColor,GetTempPathA,GetUserDefaultLangID,PathAddBackslashA,lstrcatA,CreateFileA,WriteFile,GetLastError,FormatMessageA,CloseHandle,IsWindowEnabled,PostMessageA,LoadLibraryA,lstrlenA,GetProcAddress,GetCurrentThreadId,peagtfosapeh, 1_2_0040105A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_004129EB mov edx, dword ptr fs:[00000030h] 3_2_004129EB
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_1_004129EB mov edx, dword ptr fs:[00000030h] 3_1_004129EB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_00412D30 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, 3_2_00412D30
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040A813 SetUnhandledExceptionFilter, 1_2_0040A813
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_0040A825 SetUnhandledExceptionFilter, 1_2_0040A825

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_10001000 peagtfosapeh,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread, 1_2_10001000
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Memory written: C:\Users\user\Desktop\yw6At7QnNh.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Memory written: C:\Users\user\Desktop\yw6At7QnNh.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe' Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Process created: C:\Users\user\Desktop\yw6At7QnNh.exe 'C:\Users\user\Desktop\yw6At7QnNh.exe' Jump to behavior
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040F7B1 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 3_2_0040F7B1
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_00401B0C GetLocalTime,GetSystemTime,GetTimeZoneInformation, 1_2_00401B0C
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040994D GetUserNameExW, 3_2_0040994D
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_00403D2A GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_00403D2A
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 1_2_00401C01 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,KiUserExceptionDispatcher, 1_2_00401C01
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe, 00000002.00000002.205524903.0000000002070000.00000004.00000001.sdmp String found in binary or memory: identityAccept-EncodingTEIf-Modified-SinceRFB 003.003
Source: yw6At7QnNh.exe String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe String found in binary or memory: RFB 003.003
Source: yw6At7QnNh.exe, 00000003.00000001.203739017.0000000000400000.00000040.00020000.sdmp String found in binary or memory: identityAccept-EncodingTEIf-Modified-SinceRFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040F5E2 socket,bind,closesocket, 3_2_0040F5E2
Source: C:\Users\user\Desktop\yw6At7QnNh.exe Code function: 3_2_0040F304 socket,bind,listen,closesocket, 3_2_0040F304
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458121 Sample: yw6At7QnNh Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 18 Antivirus detection for dropped file 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for dropped file 2->22 24 4 other signatures 2->24 7 yw6At7QnNh.exe 1 2->7         started        process3 file4 16 C:\Users\user\...\athefff3h6266cd5fa708f.tmp, PE32 7->16 dropped 26 Detected unpacking (changes PE section rights) 7->26 28 Detected unpacking (overwrites its own PE header) 7->28 30 Detected ZeusVM e-Banking Trojan 7->30 32 3 other signatures 7->32 11 yw6At7QnNh.exe 14 7->11         started        signatures5 process6 signatures7 34 Injects a PE file into a foreign processes 11->34 14 yw6At7QnNh.exe 11->14         started        process8
No contacted IP infos