File name:

YellowSkull2.0.exe

Full analysis: https://app.any.run/tasks/f76385b1-1aed-4c4f-a201-ec94f39d0181
Verdict: Malicious activity
Analysis date: September 21, 2024, 05:58:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

660E26001A8891E78135A09D3EC2623F

SHA1:

BD95C1955BE08EAECEFA7B3DD1CBDAC7387B6D06

SHA256:

1811C7B5DDCC6637A782BF32DB70B60BD0BF3EC2B3498716591F718CDA25FD14

SSDEEP:

49152:cCEz1VWQraflEcY8GSFJ2CBUm5htDRvG0JuH0Xv6GVO8UKlo6:cn14QilESfFim15rtxUuo6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables the LogOff the Start menu

      • reg.exe (PID: 6256)

    • UAC/LUA settings modification

      • reg.exe (PID: 6364)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2932)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • YellowSkull2.0.exe (PID: 6768)
      • cmd.exe (PID: 3768)

    • Creates file in the systems drive root

      • cmd.exe (PID: 3768)

    • Starts CMD.EXE for commands execution

      • YellowSkull2.0.exe (PID: 6768)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3768)

    • Changes the desktop background image

      • reg.exe (PID: 6148)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3768)

    • The executable file from the user directory is run by the CMD process

      • bg.exe (PID: 1920)
      • YSkullLock.exe (PID: 5548)

    • The process executes VB scripts

      • cmd.exe (PID: 3768)

    • Executing commands from a ".bat" file

      • YellowSkull2.0.exe (PID: 6768)

    • Reads security settings of Internet Explorer

      • YellowSkull2.0.exe (PID: 6768)

  • INFO

    • Checks supported languages

      • YellowSkull2.0.exe (PID: 6768)
      • bg.exe (PID: 1920)
      • YSkullLock.exe (PID: 5548)

    • Reads the computer name

      • YellowSkull2.0.exe (PID: 6768)
      • bg.exe (PID: 1920)
      • YSkullLock.exe (PID: 5548)

    • Process checks computer location settings

      • YellowSkull2.0.exe (PID: 6768)

    • The process uses the downloaded file

      • YellowSkull2.0.exe (PID: 6768)
      • cmd.exe (PID: 3768)

    • Create files in a temporary directory

      • YellowSkull2.0.exe (PID: 6768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:08 13:12:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 2592768
InitializedDataSize: 4096
UninitializedDataSize: 7725056
EntryPoint: 0x9d66b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: Yellow Skull Virus 2.0
FileVersion: 2,0,0,0
ProductVersion: 2,0,0,0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
174
Monitored processes
52
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start yellowskull2.0.exe cmd.exe conhost.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs bg.exe no specs yskulllock.exe no specs reg.exe wscript.exe no specs yellowskull2.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
492RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
864RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
884RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1184reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1236taskkill /f /im explorer.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1448RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1920bg.exe C:\Users\admin\AppData\Local\Temp\B5EB.tmp\bg.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\b5eb.tmp\bg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2324RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2356RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2472RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
4 398
Read events
4 388
Write events
10
Delete events
0

Modification events

(PID) Process:(3768) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6148) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
c:\yellowskull.bmp
(PID) Process:(6648) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(6332) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:HideFastUserSwitching
Value:
1
(PID) Process:(3448) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableChangePassword
Value:
1
(PID) Process:(4180) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableLockWorkstation
Value:
1
(PID) Process:(6256) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoLogoff
Value:
1
(PID) Process:(1184) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6364) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(2932) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:YellowSkull2 Special Program
Value:
C:\YSkullMBRSetup.exe
Executable files
4
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\YSkullMBRSetup.exeexecutable
MD5:220303EB72EBDE4605116640FB719B26
SHA256:F081C913488C3F22B62F906DAC2A82A38D085EBE1D28701F0059DFDFBF1CCF42
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\bg.exeexecutable
MD5:12CF508E9058E3E67CF8A736557C2749
SHA256:B3670EC42931E2DEA3E03053EDA32240D8B6DB15BF89D0C74E23E99ECB0AAF49
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\YSkullLock.exeexecutable
MD5:2191C3A14B53531E82726B17DD331CEF
SHA256:3B2ABD3773E4678100F197F53A886EC833FD2E26AA9A94D780A2D22BEFDF7D44
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\YSkullMBRSetup.cpptext
MD5:47E463410CB8131ADACC9DCC7259D18B
SHA256:4A72771CA59099094242F733D396F775946ED59E03C2AD680517530CA8A070B7
3768cmd.exeC:\YSkullMBRSetup.exeexecutable
MD5:220303EB72EBDE4605116640FB719B26
SHA256:F081C913488C3F22B62F906DAC2A82A38D085EBE1D28701F0059DFDFBF1CCF42
3768cmd.exeC:\YellowSkull.bmpimage
MD5:11BCDA64D254AD8DC591B41F8FCEB04D
SHA256:84C5DAD2D4CEC5B636C1FAE6F1E1482ADA9F62363DCF269B4A86F6070D5B50FC
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\YellowSkull2.battext
MD5:4671D5895D88BC19645CAB0FC7CA398A
SHA256:DD8AA9F7955674A7A1B5B222D7C1809C583C705DAE8BF476CDD42EFCC0AFABB5
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\bg.wavwav
MD5:832B350B50A07906C630A2B8819FD209
SHA256:94E1CECF8ED740EA45C87927DE31005C3B2F9DB261AAE04FE56A81E337D1E8DA
6768YellowSkull2.0.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\YellowSkull.bmpimage
MD5:11BCDA64D254AD8DC591B41F8FCEB04D
SHA256:84C5DAD2D4CEC5B636C1FAE6F1E1482ADA9F62363DCF269B4A86F6070D5B50FC
3768cmd.exeC:\Users\admin\AppData\Local\Temp\B5EB.tmp\k.vbstext
MD5:08121EA7E3B2EB7EDFC85252B937AAEB
SHA256:31CD4463ECC62DC846DBAEE0A5446D4BF11100BEFF1B01AE88E234B6C29329C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6176
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1848
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6176
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1848
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.189.173.24:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
6176
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1848
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YellowSkull2.0.exe