File name:	yuki.exe
Full analysis:	https://app.any.run/tasks/a3d0b327-9fee-4437-86c9-bd9f8c5e1782
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 07, 2024, 07:34:59
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller github discord arch-doc ims-api generic discordgrabber stealer susp-powershell python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	75F2C40C5FD05B5824D88867C17AFB49
SHA1:	9E29B9A694B3010DEF637B18F245CA8635723649
SHA256:	1C0D63ED602D3C5B4C7FEA32E801AB1B2610F7E9D50C3CCB7CA9550810EA2E0A
SSDEEP:	393216:zJkIR1w4GGeqdCpDv//6dcjY+0bnd2AnRxvKO4BQ4L8nWTGS:1F64GvqdCpD35jYhbnd2AnRD4BXeS

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:11:07 01:23:04+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	185856
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.22621.3296
ProductVersionNumber:	10.0.22621.3296
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft® Group Policy Update Utility
FileVersion:	10.0.22621.3296 (WinBuild.160101.0800)
InternalName:	GPUpdate.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	GPUpdate.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.22621.3296


(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7132
Operation:	write	Name:	0
Value: 0B0E104C5A3DED7F9539408345FDE2B777BEBD230046C2ED9DD6FB9CCCED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511DC37D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(7132) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

PID	Process	Filename		Type
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_Salsa20.pyd		executable
		MD5:3F6E73B2151A1529EF30763ACBD63189	SHA256:3000A4E4B6D62ED2AA8FC3ACA1BEE21E03D7EEFE961DB8E0872D51F7F8FB094B
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_chacha20.pyd		executable
		MD5:58FDF64B67A7AF0FEBAFA9BE53094C66	SHA256:4B94B9A948C626E34ACCCE67C09524972719E7D82865B6981BF668E976F616F6
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_arc2.pyd		executable
		MD5:0072BBD2B1AAA845C289884C3FC3E6CA	SHA256:784751702CCAEE36641973C5B40990993341AA0FB42B45526930DC9823B14D21
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_aes.pyd		executable
		MD5:D4606F55CFDAB1FA41BC4A69AA0F5F91	SHA256:DF26C8E5052CB05A96D6FAB0824BB4E4C04A10EA45AD3B56DB3FE00B695E7156
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_ARC4.pyd		executable
		MD5:111EEC367590B8ABB73825FB77232995	SHA256:5F2F2122D5DEAF302D0795A0C942F29306350B607AE8E5ABDFC96E08E287B632
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_pkcs1_decode.pyd		executable
		MD5:BE4016AB120672923BF3C01240B87DF0	SHA256:0541E52B4EFA3DD911C14A67A104FE1207EA15A33BB8F94A928395BCA9B32AF2
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_aesni.pyd		executable
		MD5:77EB782D3A1C0BA6134D3C74093058A9	SHA256:098082E71F5A88F72AA478296D533A6F14F4966DF05DB2DC7014910146BA9C48
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_blowfish.pyd		executable
		MD5:3AAFD580A6EB129D6FA81676AEDC17AF	SHA256:8035581ED2F8BD52C747EE78E8739C9353C00020A7CF6B352B91741B2D83E2A0
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_ctr.pyd		executable
		MD5:D9AA56216FD9B7443B5431E3964668F3	SHA256:06B9A3AC04E09F51296261F1E3178DEE84038FEA11A33EFC76E71430506BDFD7
6936	yuki.exe	C:\Users\admin\AppData\Local\Temp\_MEI69362\Cryptodome\Cipher\_raw_cbc.pyd		executable
		MD5:E116F8C6A7376154E6610A6B9BBD7D87	SHA256:6A44880996AEBA9B04ACF3383E9A5ACC93682FE66644A9E2BC3EA5DEFC08E09B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.216.77.21:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.216.77.21:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.21:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.50.131.85:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	23.53.43.83:443	https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C	unknown	xml	10.7 Kb	whitelisted
—	—	GET	200	52.111.236.7:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B61E80058-6FCC-4707-86FF-1A631FB14E83%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted
—	—	GET	200	52.113.194.132:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bED3D5A4C-957F-4039-8345-FDE2B777BEBD%7d&LabMachine=false	unknown	binary	381 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.216.77.21:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.216.77.21:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.216.77.21:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.216.77.21 23.216.77.32 23.216.77.25	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
gstatic.com	142.250.185.99	whitelisted
raw.githubusercontent.com	185.199.110.133 185.199.108.133 185.199.111.133 185.199.109.133	shared
discord.com	162.159.135.232 162.159.137.232 162.159.136.232 162.159.128.233 162.159.138.232	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
omex.cdn.office.net	23.50.131.71 23.50.131.74 23.50.131.92 23.50.131.94 23.50.131.85	whitelisted
ecs.office.com	52.113.194.132	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2172	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5980	yuki.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

yuki.exe

75F2C40C5FD05B5824D88867C17AFB49

9E29B9A694B3010DEF637B18F245CA8635723649

1C0D63ED602D3C5B4C7FEA32E801AB1B2610F7E9D50C3CCB7CA9550810EA2E0A

393216:zJkIR1w4GGeqdCpDv//6dcjY+0bnd2AnRxvKO4BQ4L8nWTGS:1F64GvqdCpD35jYhbnd2AnRD4BXeS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Actions looks like stealing of personal data

Changes settings for protection against network attacks (IPS)

Changes settings for checking scripts for malicious actions

Changes settings for sending potential threat samples to Microsoft servers

Changes Controlled Folder Access settings

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for real-time protection

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Adds extension to the Windows Defender exclusion list

DISCORDGRABBER has been detected (YARA)

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Starts a Microsoft application from unusual location

Application launched itself

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Script disables Windows Defender's IPS

Script disables Windows Defender's real-time protection

Possible usage of Discord/Telegram API has been detected (YARA)

The process hide an interactive prompt from the user

Script adds exclusion path to Windows Defender

Uses ATTRIB.EXE to modify file attributes

Script adds exclusion extension to Windows Defender

Executable content was dropped or overwritten

Process drops python dynamic module

Loads Python modules

INFO

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Checks supported languages

Creates files or folders in the user directory

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Manual execution by a user

PyInstaller has been detected (YARA)

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information