Overview
overview
8Static
static
8YYHeZi1.0....er.dll
windows7-x64
1YYHeZi1.0....er.dll
windows10-2004-x64
1YYHeZi1.0....te.exe
windows7-x64
8YYHeZi1.0....te.exe
windows10-2004-x64
8YYHeZi1.0....hi.exe
windows7-x64
8YYHeZi1.0....hi.exe
windows10-2004-x64
8YYHeZi1.0....er.exe
windows7-x64
8YYHeZi1.0....er.exe
windows10-2004-x64
8YYHeZi1.0....er.dll
windows7-x64
1YYHeZi1.0....er.dll
windows10-2004-x64
1YYHeZi1.0....te.exe
windows7-x64
8YYHeZi1.0....te.exe
windows10-2004-x64
8YYHeZi1.0....ll.cmd
windows7-x64
6YYHeZi1.0....ll.cmd
windows10-2004-x64
6YYHeZi1.0....ll.cmd
windows7-x64
6YYHeZi1.0....ll.cmd
windows10-2004-x64
6YYHeZi1.0....us.dll
windows7-x64
3YYHeZi1.0....us.dll
windows10-2004-x64
3YYHeZi1.0....el.dll
windows7-x64
1YYHeZi1.0....el.dll
windows10-2004-x64
3YYHeZi1.0....on.dll
windows7-x64
1YYHeZi1.0....on.dll
windows10-2004-x64
3YYHeZi1.0....ke.dll
windows7-x64
3YYHeZi1.0....ke.dll
windows10-2004-x64
3YYHeZi1.0....el.dll
windows7-x64
1YYHeZi1.0....el.dll
windows10-2004-x64
3YYHeZi1.0....ck.dll
windows7-x64
1YYHeZi1.0....ck.dll
windows10-2004-x64
3YYHeZi1.0....pi.dll
windows7-x64
1YYHeZi1.0....pi.dll
windows10-2004-x64
1YYHeZi1.0....cs.exe
windows7-x64
YYHeZi1.0....cs.exe
windows10-2004-x64
Analysis
-
max time kernel
173s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 07:34
Behavioral task
behavioral1
Sample
YYHeZi1.0.9.1985/DuoKai/loader.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
YYHeZi1.0.9.1985/DuoKai/loader.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
YYHeZi1.0.9.1985/DuoKai/update.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
YYHeZi1.0.9.1985/DuoKai/update.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
YYHeZi1.0.9.1985/DuoKai/yyweishi.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
YYHeZi1.0.9.1985/DuoKai/yyweishi.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
YYHeZi1.0.9.1985/Flower/flower.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
YYHeZi1.0.9.1985/Flower/flower.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
YYHeZi1.0.9.1985/Flower/loader.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral10
Sample
YYHeZi1.0.9.1985/Flower/loader.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
YYHeZi1.0.9.1985/Flower/update.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
YYHeZi1.0.9.1985/Flower/update.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
YYHeZi1.0.9.1985/Voice/@UNinstall.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
YYHeZi1.0.9.1985/Voice/@UNinstall.cmd
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
YYHeZi1.0.9.1985/Voice/@install.cmd
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
YYHeZi1.0.9.1985/Voice/@install.cmd
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Chorus.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Chorus.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/ComDel.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral20
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/ComDel.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Distortion.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Distortion.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Karaoke.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Karaoke.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/SimDel.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/SimDel.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Stick.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
YYHeZi1.0.9.1985/Voice/Effects/Simple/Impl/Stick.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
YYHeZi1.0.9.1985/Voice/Psapi.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral30
Sample
YYHeZi1.0.9.1985/Voice/Psapi.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
YYHeZi1.0.9.1985/Voice/Vcs.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral32
Sample
YYHeZi1.0.9.1985/Voice/Vcs.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
YYHeZi1.0.9.1985/DuoKai/yyweishi.exe
-
Size
997KB
-
MD5
39e15dcc2d0af58f6603186171f7442c
-
SHA1
375bbd6eeb94eba07d24c6b7a8dbf4d8741c5252
-
SHA256
5c61de11f05ff481aafb77a09e8334cbf4f8e8e9d32c5e5d8361bebec36fa935
-
SHA512
d6a8b4c8af45a7b639a561dd4e9690f24d88e257c4889ba255b84bd3010edad4397c20fec127c761e0129408aefe82b2bfc9bbf2e21b02ad54d4eb27ec3c386e
-
SSDEEP
12288:RQIvSHI61fhBBdzQxdgNU+TRyKo+fIBcrssDwPMyAXhmWd2YslgpmxNlDl3nWbdE:RrolUdgK6TIWZD6MyAxmWwJ6+LZ3CbF
Malware Config
Signatures
-
resource yara_rule behavioral5/memory/1752-55-0x0000000000400000-0x00000000006F8000-memory.dmp upx behavioral5/memory/1752-57-0x0000000000400000-0x00000000006F8000-memory.dmp upx -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main yyweishi.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 yyweishi.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 yyweishi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 yyweishi.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde yyweishi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1752 yyweishi.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1752 yyweishi.exe 1752 yyweishi.exe 1752 yyweishi.exe