Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

YY#U6302#U53f7#U534f#U8bae.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.921437760987104
Filename:	YY#U6302#U53f7#U534f#U8bae.exe
Filesize:	4972544
MD5:	765cf453d0cea3719b619e4c55881093
SHA1:	060ae0476bbd908d08537c8b6bb24d2ec83d524c
SHA256:	3d76cc27be3265077a5c15f2c76848b73148df035b7d3a3d2b9ad77232587cfd
SHA512:	2132af60567aaf5c89001c36edd0764ef5e336dd2260d20287953ce2dac4b80c7817d0c0fe410a0d092900181c3d360999f7f2c06b5eba51a2e54821175cec18
SSDEEP:	98304:ygvElT54uia2kf5SCyJsAh6wbwPy7kl/CNBIs0lApvWJ:yFT54rHi4H+Ah/bOUkVQY2oJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.vOB.%OB.%OB.% ].%FB.% ].%IB.%.^.%bB.%4^.%JB.%.].%cB.%.J.%MB.%OB.%.@.%-].%RB.%yd.%.B.%yd.%7B.%.].%.B.%.].%RB.%OB.%.B.%.D.%NB.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Detected VMProtect packer	System Summary
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la
Category:	dropped
Dump:	iext1.fnr.bbs.125.la.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.917105002705599
Encrypted:	false
Ssdeep:	12288:wKBQAJdbyF+XZrjvhIeWgtN5XcTXrTmY5GTTTTTTTTTy8L1d8GsgFMwq:wKBZbpXZrjhI8N5sT7TzGTTTTTTTTTy9
Size:	741376
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

"C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe"

Details

Is windows:	false
Is dropped:	false
PID:	908
Target ID:	0
Parent PID:	2580
Name:	YY#U6302#U53f7#U534f#U8bae.exe
Path:	C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe
Commandline:	"C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe"
Size:	4972544
MD5:	765CF453D0CEA3719B619E4C55881093
Time:	14:02:56
Date:	15/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	12898304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Detected VMProtect packer	System Summary
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG

unknown

https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=

unknown

http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels

unknown

https://www.yy.com/zone/assets/total.json

unknown

http://www.yy.com/search-

unknown

http://120.26.95.191:5659/

unknown

http://www.openssl.org/V

unknown

http://www.yy.com/

unknown

http://peipei.yy.com/web/account/internal/account/list

unknown

https://www.yy.com/u/

unknown

http://bbs.125.la/

unknown

https://bbs.125.la/thread-14738139-1-1.html

unknown

http://vip.yy.com/service/web/user/info?_time=vipLevel

unknown

http://hgame.yy.com/action/getUserLoginInfo.json

unknown

https://captcha.yy.com/baidu/submit.do?appid=

unknown

https://www.dmdaili.com/yaoqing/33405.html

unknown

https://passport.baidu.com/viewlog/getstyle?ak=

unknown

https://www.yy.com/zone/userinfo/getUserInfo.json

unknown

http://www.openssl.org/support/faq.html

unknown

https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1

unknown

https://iexui.com/downexui

unknown

http://do-dw.yy.com/user.php?sids=

unknown

https://hgame.yy.com/person/p_account

unknown

https://captcha.yy.com/baidu/submit.do?appid=obj

unknown

https://yyfkw.cn

unknown

http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50

unknown

http://120.26.95.191:5658/

unknown

https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac

unknown

http://vip.yy.com/service/web/user/info?_time=

unknown

http://vip.yy.com/vip/vcard/indexrest?_time=

unknown

http://www.yy.com/sid

unknown

https://www.xiequ.cn/index.html?dc1bbee2

unknown

http://www.uc.cn/ip

unknown

https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&

unknown

https://www.yy.com/gu/

unknown

http://www.uc.cn/ipIP:http://

unknown

https://nfnba.lanzoub.com/ietaw0udyhid

unknown

https://yyfkw.cn999https://nfnba.lanzoub.com/ietaw0udyhid

unknown

http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h

unknown

https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb

unknown

https://passport.baidu.com/viewlog?ak=

unknown

http://channel.yy.com/ajax/member/indexAction

unknown

There are 32 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1349000

heap

page read and write

1369000

heap

page read and write

400000

unkown

page readonly

6CF97000

unkown

page read and write

6CEF0000

unkown

page readonly

2FC1000

heap

page read and write

1393000

heap

page read and write

1393000

heap

page read and write

2F09000

heap

page read and write

1376000

heap

page read and write

19C000

stack

page read and write

2CD0000

heap

page read and write

1305000

heap

page read and write

F98000

unkown

page execute and write copy

1195000

heap

page read and write

B88000

unkown

page readonly

F97000

unkown

page execute and read and write

2CB0000

heap

page read and write

1373000

heap

page read and write

401000

unkown

page execute read

1130000

heap

page read and write

1376000

heap

page read and write

6CF91000

unkown

page read and write

1309000

heap

page read and write

5A0000

unkown

page readonly

2E04000

heap

page read and write

99000

stack

page read and write

1342000

heap

page read and write

131E000

heap

page read and write

1377000

heap

page read and write

1376000

heap

page read and write

9DD000

unkown

page readonly

1376000

heap

page read and write

400000

unkown

page readonly

12DE000

stack

page read and write

2FC0000

heap

page read and write

12E0000

heap

page read and write

117E000

stack

page read and write

33DE000

stack

page read and write

1351000

heap

page read and write

6CF98000

unkown

page write copy

2E00000

heap

page read and write

1310000

heap

page read and write

B86000

unkown

page read and write

1300000

heap

page read and write

B93000

unkown

page execute and read and write

6CF9F000

unkown

page readonly

138A000

heap

page read and write

B88000

unkown

page readonly

136E000

heap

page read and write

34DF000

stack

page read and write

329E000

stack

page read and write

30C0000

trusted library allocation

page read and write

136E000

heap

page read and write

1376000

heap

page read and write

3268000

heap

page read and write

150F000

stack

page read and write

B94000

unkown

page execute and write copy

1197000

heap

page read and write

6CF92000

unkown

page write copy

1361000

heap

page read and write

30FC000

stack

page read and write

1393000

heap

page read and write

B47000

unkown

page read and write

B80000

unkown

page read and write

2DF0000

heap

page read and write

6CEF1000

unkown

page execute read

133F000

heap

page read and write

131A000

heap

page read and write

339F000

stack

page read and write

136E000

heap

page read and write

325E000

stack

page read and write

6CF60000

unkown

page readonly

4E60000

trusted library allocation

page read and write

1190000

heap

page read and write

6CF9D000

unkown

page read and write

B18000

unkown

page read and write

3100000

heap

page read and write

B93000

unkown

page execute and write copy

2CD5000

heap

page read and write

3150000

heap

page read and write

1050000

heap

page read and write

B39000

unkown

page read and write

1393000

heap

page read and write

1393000

heap

page read and write

1366000

heap

page read and write

1349000

heap

page read and write

129F000

stack

page read and write

136E000

heap

page read and write

6CFA3000

unkown

page readonly

B8F000

unkown

page execute read

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
YY#U6302#U53f7#U534f#U8bae.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportYY#U6302#U53f7#U534f#U8bae.exe

Files

Processes

URLs

Memdumps

IOC Report
YY#U6302#U53f7#U534f#U8bae.exe