popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

igccu.exe

Process Kill Suspicious_Script_Bin Generic Malware UPX FindFirstVolume Malicious Library CryptGenKey PE File Device_File_Check OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 8, 2024, 9:38 a.m. July 8, 2024, 9:41 a.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c3ebea7cd7e96887d0fffff22bf00101
SHA256 b0e6a88e88c1285509436037b3a3f41f4736460bdd64db7086e032fa2cee4832
CRC32 06FDB942
ssdeep 24576:iAHnh+eWsN3skA4RV1Hom2KXMmHa64SEp5qxKux7C1LMfGJ5:lh+ZkldoPK8Ya6FS5XuUhMfk
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • PE_Header_Zero - PE File Signature
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • CryptGenKey_Zero - CryptGenKey Zero
  • IsPE32 - (no description)
  • Device_Check_Zero - Device Check Zero
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
request POST http://www.haimai.site/icf0/
request GET http://www.haimai.site/icf0/?Xp3xoqu0=U4JeMG3qb5QJeBzWswvZRpXbdUbus2JptZtYRCnPoVuWQN8AMfSV/KSC/xeCxJC/O44U6AJahBfYedKb0boAnF2JoNLnI8yTZ7fVdLrvsXMgQtoLZXOjy9i/SxhsIguY533/7XI=&3C=-W0nH4abwqVx6Z
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
request POST http://www.ssicma.org/qxr1/
request GET http://www.ssicma.org/qxr1/?Xp3xoqu0=2m4sk20gG7hdiEEZPbwTHBPhtGachfxfUQkVGf1jp+PhCTwkzgTQmGXQy0a1TEtXBjpQyKYGB70SN5YHZcubEUeNS431TYCqoE6spLmJedjPDy0EPuJ9tZ8AUv34yB9u8tQMDRY=&3C=-W0nH4abwqVx6Z
request POST http://www.freel2charger.com/a4ue/
request GET http://www.freel2charger.com/a4ue/?Xp3xoqu0=3Vd/jhwRuTdOxuTB8JI5nOWg/apgnlL07zqrrDtNySlQNx92si9z0GTEyKNUovs2vFDx3z0WHuC5qtQtmV1Z+JPFOszkR7570ju18v427TjxuMC6Q9FdcnyuD0lX4EuWURba81w=&3C=-W0nH4abwqVx6Z
request POST http://www.theweekendcreator.com/awb5/
request GET http://www.theweekendcreator.com/awb5/?Xp3xoqu0=q3JBavBuYNoAFHwauSUUJN+keHbDXRNO3B64FYkHj+ESHjf6uMe8Ml18n4dPe7A7aU95Qh4NdpEzKf8PQGGhOsCO//xwyGdpY4pSV5d1JaOmNNNmKMZpMyvkuOK0EM5V1PaCanQ=&3C=-W0nH4abwqVx6Z
request POST http://www.j1k.tech/ggih/
request GET http://www.j1k.tech/ggih/?Xp3xoqu0=i8yzt6XI/zjj0EvWzDpVtZBP16SoDk4AakjQiSQahgkkQjG9W6bktvv9lCGUtqBrNJmyocQc6INn5KIHl6b9E9My6YsY/pwJyHRA4RGjG4LpDxC6HG5D7wyJQEAKu8/ahrYwvcM=&3C=-W0nH4abwqVx6Z
request POST http://www.valerieomage.com/szs0/
request GET http://www.valerieomage.com/szs0/?Xp3xoqu0=nINTDym7Q9j+BCpkuujjwjGAmK2M3l6Ta6JnU7my4W3+ygqCWIWSYrKZWHtet07iDDp0UTeAPatxkU+Y4s9MpkgkU/s8fphY9KdqoJ4yoDvxJ+HW3rS0xLPCSn9cTKONJWJmDmU=&3C=-W0nH4abwqVx6Z
request POST http://www.wwfglobal.com/m95o/
request GET http://www.wwfglobal.com/m95o/?Xp3xoqu0=loIQP3UiqoDjBFJmw0L2TRhB20kRG2X9tn2fHKVmv6zwqnZvk5N84SggBG/BgRcfHRNHZvwpARRf777bnidZ37SD7iT6sqAUnBDtKNk/rHev/lWeFvdkUpIQjUOAVmPnkAOAZpw=&3C=-W0nH4abwqVx6Z
request POST http://www.haimai.site/icf0/
request POST http://www.ssicma.org/qxr1/
request POST http://www.freel2charger.com/a4ue/
request POST http://www.theweekendcreator.com/awb5/
request POST http://www.j1k.tech/ggih/
request POST http://www.valerieomage.com/szs0/
request POST http://www.wwfglobal.com/m95o/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1020
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00820000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 122880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2208
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02060000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description ktmutil.exe tried to sleep 166 seconds, actually delayed analysis time by 166 seconds
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
section {u'size_of_data': u'0x00056200', u'virtual_address': u'0x000c8000', u'entropy': 7.884764537908257, u'name': u'.rsrc', u'virtual_size': u'0x00056030'} entropy 7.88476453791 description A section with a high entropy has been found
entropy 0.298785776236 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2164
thread_handle: 0x00000134
process_identifier: 2160
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\igccu.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000138
1 1 0
file C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file C:\Users\test22\AppData\Local\AVG\Browser\User Data
Process injection Process 2160 manipulating memory of non-child process 1888
Time & API Arguments Status Return Repeated

NtMapViewOfSection

 section_handle: 0x0000004c
process_identifier: 1888
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x03b50000
allocation_type: 0 ()
section_offset: 0
view_size: 9736192
process_handle: 0x00000050
1 0 0
Process injection Process 1020 called NtSetContextThread to modify thread in remote process 2160
Process injection Process 2160 called NtSetContextThread to modify thread in remote process 2208
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 784476
registers.edi: 0
registers.eax: 4199424
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000134
process_identifier: 2160
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 784444
registers.edi: 0
registers.eax: 1152624
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000064
process_identifier: 2208
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.AutoIt.l!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.AgentSM.S6640043
Skyhigh BehavesLike.Win32.TrojanAitInject.tc
ALYac Trojan.GenericKD.73349747
Cylance Unsafe
VIPRE Trojan.GenericKD.73349747
Sangfor Spyware.Win32.Autoit.Vugc
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Trojan.GenericKD.73349747
K7GW Riskware ( 00584baa1 )
Cybereason malicious.cd7e96
VirIT Trojan.Win32.AutoIt_Heur.A
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.Autoit.GCZ
APEX Malicious
Avast Win32:Malware-gen
Kaspersky Trojan-Spy.Win32.Noon.bhbh
Alibaba TrojanSpy:Win32/Strab.c1089e3f
MicroWorld-eScan Trojan.GenericKD.73349747
Rising Trojan.Injector/Autoit!1.FD30 (CLASSIC)
Emsisoft Trojan.GenericKD.73349747 (B)
F-Secure Trojan.TR/AD.ShellcodeCrypter.lqzgv
DrWeb Trojan.AutoIt.1410
TrendMicro Trojan.Win32.STRAB.VSNW03G24
McAfeeD ti!B0E6A88E88C1
FireEye Generic.mg.c3ebea7cd7e96887
Sophos Troj/AutoIt-DGJ
Ikarus Trojan.Autoit
Webroot W32.Trojan.GenKD
Google Detected
Avira TR/AD.ShellcodeCrypter.lqzgv
MAX malware (ai score=89)
Kingsoft Win32.Trojan-Spy.Noon.bhbh
Gridinsoft Trojan.Win32.Downloader.sa
Arcabit Trojan.Generic.D45F3A73
ZoneAlarm Trojan-Spy.Win32.Noon.bhbh
GData Trojan.GenericKD.73349747
Varist W32/Autoit.G.gen!Eldorado
AhnLab-V3 Trojan/Win.Injector.C5647480
DeepInstinct MALICIOUS
VBA32 Trojan-Downloader.Autoit.gen
Malwarebytes Backdoor.NetWiredRC.AutoIt.Generic
Panda Trj/CI.A
TrendMicro-HouseCall Trojan.Win32.STRAB.VSNW03G24
MaxSecure Trojan.Malware.300983.susgen
Fortinet AutoIt/Injector.AAD!tr
AVG Win32:Malware-gen