Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 8, 2024, 9:38 a.m.	July 8, 2024, 9:41 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7e65b6742284236fdd138467fad4a26b`
SHA256	`7565e6753a23fa9393cd3a32b1f65153658a48d8a289a2571fd9285f6628ac65`
CRC32	`A008FFE5`
ssdeep	`24576:DAHnh+eWsN3skA4RV1Hom2KXMmHai5ib3XvnR3e5:Oh+ZkldoPK8Yai5knJk`
Yara	Malicious_Library_Zero - Malicious_Library Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero IsPE32 - (no description) Device_Check_Zero - Device Check Zero UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

igccu.exe "C:\Users\test22\AppData\Local\Temp\igccu.exe"
2544
- svchost.exe "C:\Users\test22\AppData\Local\Temp\igccu.exe"
  2640

Name	Response	Post-Analysis Lookup
www.the35678.shop	A 104.21.73.86 A 172.67.142.9	172.67.142.9
www.conciergenotary.net
www.ambassadorshipvottings.click

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.142.9	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 172.67.142.9:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2024, 9:38 a.m.			0	0

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.the35678.shop/rn94/?rN=Pw6uawu6bpUURmobPGjm7w10f8Mlz4ae3CQ9SdoAu0lviBuvuUEzgMQxBmwJM+0zgqHwiUMV&QZ3=ehux_83h401LUZ

request

GET http://www.the35678.shop/rn94/?rN=Pw6uawu6bpUURmobPGjm7w10f8Mlz4ae3CQ9SdoAu0lviBuvuUEzgMQxBmwJM+0zgqHwiUMV&QZ3=ehux_83h401LUZ

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2024, 9:38 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 9:38 a.m.	process_identifier: 2544 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 9:38 a.m.	process_identifier: 2640 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

section

{u'size_of_data': u'0x0003e000', u'virtual_address': u'0x000c8000', u'entropy': 7.813342871687274, u'name': u'.rsrc', u'virtual_size': u'0x0003dfa8'}

entropy

7.81334287169

description

A section with a high entropy has been found

entropy

0.234737340274

description

Overall entropy of this PE file is high

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 8, 2024, 9:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 8, 2024, 9:38 a.m.	thread_identifier: 2644 thread_handle: 0x0000013c process_identifier: 2640 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\igccu.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000140	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 called NtSetContextThread to modify thread in remote process 2640
NtSetContextThread July 8, 2024, 9:38 a.m.	registers.eip: 1995571652 registers.esp: 2095736 registers.edi: 0 registers.eax: 4321408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000013c process_identifier: 2640	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.AutoIt.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.TrojanAitInject.tc
ALYac	Trojan.Generic.36505469
Cylance	Unsafe
VIPRE	Trojan.Generic.36505469
Sangfor	Trojan.Win32.Strab.Vbdy
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.Generic.36505469
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.422842
Arcabit	Trojan.Generic.D22D077D
VirIT	Trojan.Win32.AutoIt_Heur.A
ESET-NOD32	a variant of Win32/Injector.Autoit.GDC
APEX	Malicious
McAfee	Artemis!7E65B6742284
Avast	Win32:Malware-gen
Kaspersky	Trojan-Spy.Win32.Noon.bhbp
Alibaba	TrojanSpy:Win32/Strab.9d295123
MicroWorld-eScan	Trojan.Generic.36505469
Rising	Trojan.Injector/Autoit!1.FD30 (CLASSIC)
Emsisoft	Trojan.Generic.36505469 (B)
F-Secure	Trojan.TR/AD.ShellcodeCrypter.paodo
DrWeb	Trojan.AutoIt.1410
McAfeeD	ti!7565E6753A23
FireEye	Generic.mg.7e65b6742284236f
Sophos	Troj/AutoIt-DGJ
Ikarus	Trojan.Autoit
Webroot	W32.Trojan.FL
Google	Detected
Avira	TR/AD.ShellcodeCrypter.paodo
MAX	malware (ai score=82)
Kingsoft	Win32.Trojan-Spy.Noon.bhbp
Gridinsoft	Ransom.Win32.Sabsik.sa
Xcitium	Malware@#2dr5ltk80w8zl
Microsoft	Trojan:Win32/Strab.GPCX!MTB
ZoneAlarm	Trojan-Spy.Win32.Noon.bhbp
GData	Trojan.Generic.36505469
Varist	W32/Autoit.G.gen!Eldorado
DeepInstinct	MALICIOUS
VBA32	Trojan-Downloader.Autoit.gen
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H01G524
Fortinet	AutoIt/Injector.AAD!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Strab.GXI#3DGW

igccu.exe