| File name: | y8-browser-web-setup-1.0.10.exe |
| Full analysis: | https://app.any.run/tasks/902d3f7e-3e03-4716-86ec-c16074654191 |
| Verdict: | Malicious activity |
| Analysis date: | June 02, 2024, 12:46:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | CC6330972427884D4C58F7C0A063C815 |
| SHA1: | 7D8A90CEFCDF0B3291242FF1633F8942E8BA50A6 |
| SHA256: | 06035C50BB3E3F927F2B9921697438C9ACEAD3722C70A6A35FD857F454ED7373 |
| SSDEEP: | 12288:I+W/z69tQGx5SiDj8FrpugKgOv2PIS1uXv9LthszLPat:IvG9tQGx5BEFygOePRg63Ct |
MALICIOUS
Drops the executable file immediately after the start
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
SUSPICIOUS
Executable content was dropped or overwritten
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
The process creates files with name similar to system file names
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Malware-specific behavior (creating "System.dll" in Temp)
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads security settings of Internet Explorer
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads the Internet Settings
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Checks Windows Trust Settings
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads settings of System Certificates
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
INFO
Checks proxy server information
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads the computer name
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
- wmpnscfg.exe (PID: 748)
Checks supported languages
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
- wmpnscfg.exe (PID: 748)
Create files in a temporary directory
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads the machine GUID from the registry
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Reads the software policy settings
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Creates files or folders in the user directory
- y8-browser-web-setup-1.0.10.exe (PID: 4000)
Manual execution by a user
- wmpnscfg.exe (PID: 748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:01:30 03:58:52+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.10.0 |
| ProductVersionNumber: | 1.0.10.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Y8 Games |
| FileDescription: | Custom Y8 Browser |
| FileVersion: | 1.0.10 |
| LegalCopyright: | Copyright © year Y8 Games |
| LegalTrademarks: | com.y8.y8-browser |
| ProductName: | Y8 Browser |
| ProductVersion: | 1.0.10 |
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 748 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4000 | "C:\Users\admin\AppData\Local\Temp\y8-browser-web-setup-1.0.10.exe" | C:\Users\admin\AppData\Local\Temp\y8-browser-web-setup-1.0.10.exe | explorer.exe | ||||||||||||
User: admin Company: Y8 Games Integrity Level: MEDIUM Description: Custom Y8 Browser Version: 1.0.10 Modules
| |||||||||||||||
Total events
6 642
Read events
6 602
Write events
34
Delete events
6
Modification events
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (4000) y8-browser-web-setup-1.0.10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
5
Suspicious files
9
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\Local\Temp\nsb2DBA.tmp\nsProcess.dll | executable | |
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289 | SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25 | binary | |
MD5:6D0AA2934F7906F0B1C8CE0ADEE341B9 | SHA256:0FC6E1B30A20E43450CCA0AA6AE6502F9F18050AFF0823DB09B0EECA6945E919 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C | binary | |
MD5:FF24AC34B750092A94186C8E52FB4D7D | SHA256:AA59A1D866CE19AF4C07C41FAB7B0F076071028CA5D48E60BBD29D3CDD66B548 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90 | binary | |
MD5:61C060748DACA8556274BFABC587F30E | SHA256:D3A4273F83DB93B4AFE9C06918806D71E6268A4B8B41CEE65E047CFAA1AF548F | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C | binary | |
MD5:C4E45BFC821619FAE97EE8E37C59BCEE | SHA256:0D7D5F384108F8E45A05725A8787D46ED8DBD7AFE17F96BBA25C978529649069 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\Local\Temp\nsb2DBA.tmp\System.dll | executable | |
MD5:75ED96254FBF894E42058062B4B4F0D1 | SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419 | binary | |
MD5:711BD2699A6A1A0B076F5E3AC4B00414 | SHA256:C4A681FB295E9F98D4616A89B10B148E27A2202EF0967505D473D348936A9E30 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419 | binary | |
MD5:E696A00652138DE526AAE113D6B4782C | SHA256:4DA9DE7CFCA8BD331148D27BC4D925D46D3142D9FE9C99BC0631ADF1A3A01BED | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\Local\Temp\nsb2DBA.tmp\SpiderBanner.dll | executable | |
MD5:17309E33B596BA3A5693B4D3E85CF8D7 | SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93 | |||
| 4000 | y8-browser-web-setup-1.0.10.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:22C09DC66B1D226070E8CABF7F284999 | SHA256:0A11F9DF8C0846493C10D1A99EDDAABDB882F674B610A9C132EA3F16CE77AD8F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4000 | y8-browser-web-setup-1.0.10.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd | unknown | — | — | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | unknown | — | — | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | GET | 304 | 23.50.131.216:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?12789e048eeb75c2 | unknown | — | — | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D | unknown | — | — | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D | unknown | — | — | unknown |
— | — | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4f7497503626c948 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | 140.82.121.3:443 | github.com | GITHUB | US | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | 23.50.131.216:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | 104.18.38.233:80 | ocsp.comodoca.com | CLOUDFLARENET | — | shared |
4000 | y8-browser-web-setup-1.0.10.exe | 185.199.111.133:443 | objects.githubusercontent.com | FASTLY | US | unknown |
4000 | y8-browser-web-setup-1.0.10.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1088 | svchost.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
github.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
objects.githubusercontent.com |
| shared |
ocsp.digicert.com |
| whitelisted |