Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 9:26 a.m.	Sept. 30, 2024, 10:02 a.m.

Size	68.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`e5852100b1ecba5fce3684062e08ec7f`
SHA256	`66a52de66fee86d212ada38411fedd95b4eba6a3975f7a2ce5f8535ecfefacfb`
CRC32	`A411B6A4`
ssdeep	`1536:80UVLhHOnhCk96KN/ysvrS1MSNefO8DtVN:8DBC7hNasrS1MSNeftDt`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

temp.exe "C:\Users\test22\AppData\Local\Temp\temp.exe"
2548

Name	Response	Post-Analysis Lookup
sertificationgameconnect.xyz	A 91.92.244.222	91.92.244.222

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.92.244.222	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 91.92.244.222:8443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.92.244.222:8443 -> 192.168.56.101:49165	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49182	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49174	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49190	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49194	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49170	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49178	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49202	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49186	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 91.92.244.222:8443 -> 192.168.56.101:49198	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2024, 9:27 a.m.	stacktrace: 0x4f0030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f0030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 5177849 registers.rsp: 37221896 registers.r11: 514 registers.r8: 8791739286068 registers.r9: 0 registers.rdx: 1994794592 registers.r12: 0 registers.rbp: 5177354 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000004f0000 process_handle: 0xffffffffffffffff	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 manipulating memory of non-child process 2548
NtAllocateVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000040	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 injected into non-child 2548
WriteProcessMemory Sept. 30, 2024, 9:26 a.m.	buffer: üHäðèÈAQAPRQVH1ÒeHR`HRHR HrPH·JJM1ÉH1À¬<a\|, AÁÉ AÁâíRAQHR B<HÐfxurHÀtgHÐPHD@ IÐãVHÿÉA4HÖM1ÉH1À¬AÁÉ AÁ8àuñLL$E9ÑuØXD@$IÐfAHD@IÐAHÐAXAX^YZAXAYAZHì ARÿàXAYZHéOÿÿÿ]jI¾wininetAVIæLñAºLw&ÿÕH1ÉH1ÒM1ÀM1ÉAPAPAº:Vy§ÿÕéZHÁA¸û M1ÉAQAQjAQAºWÆÿÕëy[HÁH1ÒIØM1ÉRh2ÀRRAºëU.;ÿÕHÆHÃPj _Hñºjh3IàA¹AºuFÿÕHñHÚIÇÀÿÿÿÿM1ÉRRAº-{ÿÕÀHÿÏë³éäèÿÿÿ/jquery-3.3.2.slim.min.jsJ_ÄWâ:Mu®Ü#@«î2ý¤ßÛ]of?<ü.\|mâÔç!ÍÚe{Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Zü$Oéíe#7WÅ¶±éNùÕ.ãâý=oD±÷îÉ6ÙÂ2ß"Éýha²½¢øA¾ðµ¢VÿÕH1Éº@A¸A¹@AºX¤SåÿÕHSSHçHñHÚA¸ IùAºâÿÕHÄ Àt¶fHÃÀu×XXXH¯PÃèýÿÿsertificationgameconnect.xyz:Þh± base_address: 0x00000000004f0000 process_identifier: 2548 process_handle: 0x0000000000000040	1	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
VIPRE	Trojan.Generic.36830440
Sangfor	Trojan.Win64.Inject.Vd6m
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.Generic.36830440
K7GW	Trojan ( 005b27411 )
K7AntiVirus	Trojan ( 005b27411 )
Arcabit	Trojan.Generic.D231FCE8
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Inject.AQ
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:Win64/Inject.e1523a48
MicroWorld-eScan	Trojan.Generic.36830440
Rising	Trojan.Inject!8.103 (CLOUD)
Emsisoft	Trojan.Generic.36830440 (B)
F-Secure	Trojan.TR/AD.MeterpreterSC.xmayo
TrendMicro	Backdoor.Win64.COBEACON.YXEI2Z
McAfeeD	ti!66A52DE66FEE
CTX	exe.trojan.inject
Sophos	Mal/Generic-S
FireEye	Generic.mg.e5852100b1ecba5f
Google	Detected
Avira	TR/AD.MeterpreterSC.xmayo
Antiy-AVL	Trojan/Win64.CobaltStrike
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Trojan.Win64.CobaltStrike.tr
Microsoft	Trojan:Win64/Meterpreter.E
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Rozena.YL5W41
McAfee	Artemis!E5852100B1EC
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win64.Inject
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.YXEI2Z
Tencent	Win32.Trojan.Generic.Sgil
huorong	HVM:Trojan/Injector.cj
Fortinet	W64/Inject.AQ!tr
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Inject.AR

temp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All