Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

yoyo.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	5.752655646033032
Filename:	yoyo.exe
Filesize:	591348
MD5:	0ced0787f8e64762035adea6c6aff9e2
SHA1:	3f3822cccdd892f20a8535a8137420e4e1b49344
SHA256:	79937a1b5c371c64c42abd995ddc3beff64be580f3f11ece7aceaccf1b306cee
SHA512:	4dbb7e2f3a28bdbf27db5a818567f44be6df0439736dc1326117440c05f1370d02178ef859734f4c830337a9b2f1dd3cfe74fb9cad33d996c54f2af36c2d8743
SSDEEP:	6144:oOvmKmAUS+NKnkg2RuO2NKVuciE0HyViv7LI3nDsq6KSTm+tmogOKietNDFBsY7v:oumpQ/kLIFU48EDLeDslh98BBXD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h]#g.*..(.....&....&.......................@..........................................`... ............................

Signature Hits	Behavior Group	Mitre Attack
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)	Networking	Network Sniffing
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains more sections than normal	System Summary	Access Token Manipulation
PE file contains sections with non-standard names	Data Obfuscation
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation System Information Discovery
Sample might require command line arguments	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Users\user\Desktop\yoyo.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.452819531114783
Encrypted:	false
Ssdeep:	3:34F3Xlslovn:qqly
Size:	32
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\yoyo.exe

"C:\Users\user\Desktop\yoyo.exe" -install

Details

Is windows:	false
Is dropped:	false
PID:	6388
Target ID:	0
Parent PID:	1028
Name:	yoyo.exe
Path:	C:\Users\user\Desktop\yoyo.exe
Commandline:	"C:\Users\user\Desktop\yoyo.exe" -install
Size:	591348
MD5:	0CED0787F8E64762035ADEA6C6AFF9E2
Time:	07:01:09
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6bdd10000
Modulesize:	573440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)	Networking	Network Sniffing
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\yoyo.exe

"C:\Users\user\Desktop\yoyo.exe" /install

Details

Is windows:	false
Is dropped:	false
PID:	2676
Target ID:	3
Parent PID:	1028
Name:	yoyo.exe
Path:	C:\Users\user\Desktop\yoyo.exe
Commandline:	"C:\Users\user\Desktop\yoyo.exe" /install
Size:	591348
MD5:	0CED0787F8E64762035ADEA6C6AFF9E2
Time:	07:01:11
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6bdd10000
Modulesize:	573440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)	Networking	Network Sniffing
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\yoyo.exe

"C:\Users\user\Desktop\yoyo.exe" /load

Details

Is windows:	false
Is dropped:	false
PID:	5852
Target ID:	5
Parent PID:	1028
Name:	yoyo.exe
Path:	C:\Users\user\Desktop\yoyo.exe
Commandline:	"C:\Users\user\Desktop\yoyo.exe" /load
Size:	591348
MD5:	0CED0787F8E64762035ADEA6C6AFF9E2
Time:	07:01:13
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6bdd10000
Modulesize:	573440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)	Networking	Network Sniffing
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1892
Target ID:	1
Parent PID:	6388
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:01:09
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7100
Target ID:	4
Parent PID:	2676
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:01:11
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6052
Target ID:	6
Parent PID:	5852
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:01:13
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF6BDD1C000

unkown

page write copy

90B37FD000

stack

page read and write

28F73A80000

heap

page read and write

7FF6BDD23000

unkown

page write copy

90B39FD000

stack

page read and write

7FF6BDD10000

unkown

page readonly

E932DFF000

stack

page read and write

7FF6BDD10000

unkown

page readonly

7FF6BDD11000

unkown

page execute read

7FF6BDD1D000

unkown

page readonly

1D39D500000

heap

page read and write

7FF6BDD10000

unkown

page readonly

1D39D5E0000

heap

page read and write

256E45E0000

heap

page read and write

28F73A50000

heap

page read and write

28F73AE0000

heap

page read and write

7FF6BDD26000

unkown

page readonly

7FF6BDD1D000

unkown

page readonly

1D39D6C0000

heap

page read and write

7FF6BDD23000

unkown

page read and write

B292DFF000

stack

page read and write

7FF6BDD1C000

unkown

page write copy

256E4810000

heap

page read and write

7FF6BDD11000

unkown

page execute read

256E4600000

heap

page read and write

7FF6BDD26000

unkown

page readonly

7FF6BDD11000

unkown

page execute read

7FF6BDD26000

unkown

page readonly

7FF6BDD1C000

unkown

page write copy

7FF6BDD1C000

unkown

page write copy

1D39D6C7000

heap

page read and write

1D39D600000

heap

page read and write

7FF6BDD1D000

unkown

page readonly

28F73A60000

heap

page read and write

7FF6BDD10000

unkown

page readonly

7FF6BDD23000

unkown

page write copy

256E47E0000

heap

page read and write

7FF6BDD11000

unkown

page execute read

7FF6BDD26000

unkown

page readonly

B292FFF000

stack

page read and write

7FF6BDD1C000

unkown

page write copy

7FF6BDD23000

unkown

page read and write

7FF6BDD26000

unkown

page readonly

7FF6BDD10000

unkown

page readonly

28F73AA0000

heap

page read and write

7FF6BDD11000

unkown

page execute read

1D39D6CB000

heap

page read and write

7FF6BDD1D000

unkown

page readonly

7FF6BDD1D000

unkown

page readonly

7FF6BDD1D000

unkown

page readonly

7FF6BDD23000

unkown

page read and write

7FF6BDD11000

unkown

page execute read

E932BFD000

stack

page read and write

90B3BFF000

stack

page read and write

E932FFF000

stack

page read and write

28F73AEC000

heap

page read and write

7FF6BDD26000

unkown

page readonly

28F73AE6000

heap

page read and write

256E47F0000

heap

page read and write

7FF6BDD23000

unkown

page write copy

256E4608000

heap

page read and write

7FF6BDD1C000

unkown

page write copy

B292BFD000

stack

page read and write

7FF6BDD10000

unkown

page readonly

1D39D950000

heap

page read and write

There are 55 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
yoyo.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportyoyo.exe

Files

Processes

Memdumps

IOC Report
yoyo.exe