Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.933286529477898
Filename:	file.exe
Filesize:	2237084
MD5:	4abca4ce3b4f93811359c9bfa0069878
SHA1:	d4574fbd9741d1945c6d02cbb33fb398e9bc1d27
SHA256:	8523f06f8b50885c4b4895a09eae4acf06b4852966c7acd8ce0e2d1d9727f568
SHA512:	22dc1e46a975e995ff82d6f99a92a3d96f899a0a44e0706853ee1f1d5663a7fec8ab6a9ee74d789f6bc85721d3c0ce02511d7b0885800e59d09e4430f813617f
SSDEEP:	49152:XcL4/T+kFc3Rqvn5LqahIxhudvPOyWyLRotSR31jc+FDoxolTx:XcL46kURgtDlIytotc31jc+hqolTx
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y....~..y....\|.!y....}..y..+.r..y..+....y..+....y..+....y.......y.......y...y...x..%....y..%....y..%.p..y..%....y.

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
File is packed with WinRar	Data Obfuscation	Software Packing
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Might use command line arguments	System Summary
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\YYF2G.a

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\YYF2G.a
Category:	dropped
Dump:	YYF2G.a.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.928877139760436
Encrypted:	false
Ssdeep:	49152:XLcFRssz/nnyKPIxrKdF5ACWyldmt2PRjjWe5LMx8RWhmt8l:XAR7Tn3L+yXmtMRjjWeVG8RWhmt8l
Size:	2068480
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6820
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2237084
MD5:	4ABCA4CE3B4F93811359C9BFA0069878
Time:	22:43:52
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf60000
Modulesize:	454656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A

Details

Is windows:	true
Is dropped:	false
PID:	7088
Target ID:	1
Parent PID:	6820
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	"C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A
Size:	20992
MD5:	878E47C8656E53AE8A8A21E927C6F7E0
Time:	22:43:53
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

F61000

unkown

page execute read

3280000

heap

page read and write

3481000

heap

page read and write

3400000

heap

page read and write

54B0000

heap

page read and write

533E000

stack

page read and write

EA0000

heap

page read and write

35A0000

heap

page read and write

3457000

heap

page read and write

38EB000

heap

page read and write

50B1000

direct allocation

page execute read

3489000

heap

page read and write

38AA000

trusted library allocation

page read and write

3456000

heap

page read and write

330E000

stack

page read and write

5B1F000

stack

page read and write

344F000

heap

page read and write

57AE000

stack

page read and write

3457000

heap

page read and write

EFD000

stack

page read and write

53C0000

heap

page read and write

5350000

heap

page read and write

3426000

heap

page read and write

3315000

heap

page read and write

FA7000

unkown

page read and write

543E000

stack

page read and write

3445000

heap

page read and write

3429000

heap

page read and write

5B5B000

stack

page read and write

3891000

trusted library allocation

page read and write

38E7000

heap

page read and write

3448000

heap

page read and write

345A000

heap

page read and write

34C3000

heap

page read and write

F3D000

stack

page read and write

5446000

direct allocation

page read and write

3448000

heap

page read and write

FBC000

unkown

page readonly

328A000

heap

page read and write

F9E000

unkown

page read and write

4F7A000

direct allocation

page read and write

58DE000

stack

page read and write

53C4000

heap

page read and write

3465000

heap

page read and write

3407000

heap

page read and write

E39000

stack

page read and write

343A000

heap

page read and write

51D1000

direct allocation

page execute read

357F000

stack

page read and write

349A000

heap

page read and write

FBC000

unkown

page write copy

780D000

stack

page read and write

3489000

heap

page read and write

53B0000

heap

page read and write

353E000

stack

page read and write

F61000

unkown

page execute read

343E000

heap

page read and write

35FD000

stack

page read and write

3580000

direct allocation

page execute and read and write

50B6000

direct allocation

page read and write

3444000

heap

page read and write

344D000

heap

page read and write

3310000

heap

page read and write

33E0000

heap

page read and write

3483000

heap

page read and write

F92000

unkown

page readonly

349C000

heap

page read and write

52D0000

direct allocation

page read and write

349C000

heap

page read and write

6E10000

trusted library allocation

page read and write

59DF000

stack

page read and write

3462000

heap

page read and write

F60000

unkown

page readonly

343E000

heap

page read and write

3250000

heap

page read and write

51DE000

direct allocation

page readonly

F40000

heap

page read and write

2FEC000

stack

page read and write

3456000

heap

page read and write

2FAB000

stack

page read and write

38E0000

heap

page read and write

344D000

heap

page read and write

3456000

heap

page read and write

E2C000

stack

page read and write

329C000

heap

page read and write

F9E000

unkown

page write copy

3429000

heap

page read and write

F92000

unkown

page readonly

53D0000

heap

page read and write

3260000

heap

page read and write

FBD000

unkown

page readonly

34FF000

stack

page read and write

4EE0000

heap

page read and write

D36000

stack

page read and write

33DE000

stack

page read and write

3472000

heap

page read and write

EB0000

heap

page readonly

56B0000

trusted library allocation

page read and write

36FE000

stack

page read and write

7610000

heap

page read and write

F60000

unkown

page readonly

5A1E000

stack

page read and write

There are 92 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

Memdumps

IOC Report
file.exe