Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 25, 2024, 10:33 a.m.	Sept. 25, 2024, 10:57 a.m.

Size	31.0KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`e9dc029457e9d23c8db988c4c0585bfa`
SHA256	`18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db`
CRC32	`64A9C020`
ssdeep	`192:+np66k5gQDVAU3l6+eKdv3Zn4TJrJfsQ5XfDcyLwaBg1+Cfs2LzwYDK7UlVSq7j4:GO/5AwJtZ4RFskLt`
PDB Path	C:\Users\admin\Desktop\Project\reverse_tcp_c\reverse\x64\Release\reverse.pdb
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Golove.exe "C:\Users\test22\AppData\Local\Temp\Golove.exe"
2552
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
124.221.70.199	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Users\admin\Desktop\Project\reverse_tcp_c\reverse\x64\Release\reverse.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 25, 2024, 10:26 a.m.	stacktrace: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x76cba404 0x456022e 0x7fffff81250 0x68ef398 0x68ef3d0 0x456022e 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 0x9a8 exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65 exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 exception.instruction: push rsp exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 697348 exception.address: 0x76cba404 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 72745007 registers.r10: 72745518 registers.rbx: 72745006 registers.rsp: 110033032 registers.r11: 514 registers.r8: 110031768 registers.r9: 110031824 registers.rdx: 8796092502608 registers.r12: 110033456 registers.rbp: 72745018 registers.rdi: 2472 registers.rax: 1993057284 registers.r13: 110033464	1	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (25 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: services.exe process_identifier: 444	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Sept. 25, 2024, 10:26 a.m.	snapshot_handle: 0x0000000000000030 process_name: explorer.exe process_identifier: 1452	1	1

Communicates with host for which no DNS query was performed (1 event)

host

124.221.70.199

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 25, 2024, 10:26 a.m.	process_identifier: 1452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	1	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 created a remote thread in non-child process 1452
CreateRemoteThread Sept. 25, 2024, 10:26 a.m.	thread_identifier: 0 process_identifier: 1452 function_address: 0x0000000004560000 flags: 0 stack_size: 0 parameter: 0x0000000000000000 process_handle: 0x0000000000000030	1	52	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 manipulating memory of non-child process 1452
NtAllocateVirtualMemory Sept. 25, 2024, 10:26 a.m.	process_identifier: 1452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	1	0	0

Network communications indicative of possible code injection originated from the process explorer.exe (10 events)

Time & API	Arguments	Return
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1
connect Sept. 25, 2024, 10:26 a.m.	ip_address: 124.221.70.199 socket: 2472 port: 8983	-1

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 injected into non-child 1452
WriteProcessMemory Sept. 25, 2024, 10:26 a.m.	buffer: ë'[S_°£ü®uýWYS^0HÿÇHÿÆf?Èít>£uêëæÿáèÔÿÿÿ£ï[÷ãûßRBRCA["ÁBEv[As[A[A3[aC[¤YY^"Ú["Ó¿/ro?3RÒÚRÒñþARB[A3Q/[Ãuka[Ógt[ÃWS3CZÃ[ðE[ìÚ^"ÚR'[Å["Ó¿RÒÚRÒ+ófâ__7V*ÂfËKWS7ZÃuR[WSZÃR[ÃRKRKMJIRKRJRI[ÿ3RAìóKRJI[úXìììNZd`!L !REZõ[ÿ³ZöZ¯0oÎUÔRGZ÷_âR©_d5ìÆ_ù{JR©:xìÆyRMCC^"Ú^"Ó[ìÓ[Ñ[ìÓ[ÒR©ùÌóìÆ[ÔyRK_ñ[êR©¶grìÆÓgZìÝföû[ÿ[ñ^"ÚyRK[êR©ÊÛLìÆëmF[×3MåySRJ{RK[á["ÚR©K·@öìÆ[ÐZÔ^"ÚZã[É[êR©ÊÛLìÆën;KRDJ{SRKyIR©<#ìÆDJR©f}^rìÆZìÝú/ììì[Ð[:Õ[åf§RìôKyJZÔÑã¦±EìÆÈí base_address: 0x0000000004560000 process_identifier: 1452 process_handle: 0x0000000000000030	1	1	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Marte.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Injector.nt
ALYac	Generic.Shellcode.Ode.Marte.C.789C8C32
Cylance	Unsafe
VIPRE	Generic.Shellcode.Ode.Marte.C.789C8C32
Sangfor	Trojan.Win32.Meterpreter.V9iu
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Shellcode.Ode.Marte.C.789C8C32
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Generic.Shellcode.Ode.Marte.C.789C8C32
Symantec	Meterpreter
Elastic	malicious (high confidence)
Avast	Win32:MsfEncode-D [Hack]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:Win64/Meterpreter.633a601d
MicroWorld-eScan	Generic.Shellcode.Ode.Marte.C.789C8C32
Rising	Trojan.Kryptik@AI.94 (RDML:hdWqJjnPkCvDw69O3Bq+WA)
Emsisoft	Generic.Shellcode.Ode.Marte.C.789C8C32 (B)
F-Secure	Trojan.TR/Swrort.amdjm
Zillya	Trojan.Generic.Win32.1863877
TrendMicro	TROJ_GEN.R002C0DIE24
McAfeeD	ti!18BA6CD59749
CTX	exe.trojan.meterpreter
Sophos	ATK/Meter-Z
FireEye	Generic.Shellcode.Ode.Marte.C.789C8C32
Webroot	W32.Trojan.TR.Swrort.amdjm
Google	Detected
Avira	TR/Swrort.amdjm
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Trojan.Generic.a
Microsoft	Trojan:Win64/Meterpreter.E
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Generic.Shellcode.Ode.Marte.C.789C8C32
McAfee	Artemis!E9DC029457E9
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win64.Meterpreter
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DIE24
Tencent	Malware.Win32.Gencirc.14136010
huorong	Trojan/Rozena.j
Fortinet	W32/PossibleThreat
AVG	Win32:MsfEncode-D [Hack]
Paloalto	generic.ml

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49162
dead_host	124.221.70.199:8983

Golove.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All