popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kk.ps1

Antivirus Anti_VM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 11, 2021, 10:12 a.m. Aug. 11, 2021, 10:16 a.m.
Size 967.2KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 076e5f15c5204b3e7b9feb23dc00d237
SHA256 48b410c1ae8d81a4f0052c8f6cc9cce0ec8464d51053bcfb74e4787845780ee4
CRC32 04D1F570
ssdeep 12288:eCdDq44pzvIB4NB40m9lnn/BWY/k6vMXkIUaoYuwYp89JgxDUTVkc5Ao:84W340glnn/BWYcw8HTTTmro
Yara
  • anti_vm_detect - Possibly employs anti-virtualization techniques

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Unexpected token '(' in expression or statement.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\kk.ps1:27 char:77
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + [Reflection.Assembly]::Load($H5).$SRDTFYUGIOHJOOHUGYFUTDYRDYTUGIOHJPIUGYUFT(
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: <<<< $RCTHVYJUKILRGCTHVYJBKUNXGRCHTVYJGKHUIL).$STRDYUFGIHIGFDRYTFYGUIHIGUFTYTFU
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: YGU($RTDYUFGIOHIJOFUDSESTRDYFUYGIUHOIU5Y4TE5Y6RUT7I).$RDTFYGUHKILJOIUGYFTDRDYTF
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: YGUH($null,[object[]] ($RGHTFJYGKUYJTHRGERHT,$H6))
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: ecordException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : UnexpectedToken
console_handle: 0x00000083
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051faa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051faa8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0048ab18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x075e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07700000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07701000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07702000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07703000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07704000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07705000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07706000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07707000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0770b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02009000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Arcabit Trojan.PWS.Agent.SVM
Symantec SMG.Heur!gen
Avast Script:SNH-gen [Trj]
Kaspersky Trojan.PowerShell.Agent.mv
BitDefender Trojan.PWS.Agent.SVM
MicroWorld-eScan Trojan.PWS.Agent.SVM
Ad-Aware Trojan.PWS.Agent.SVM
DrWeb PowerShell.MulDrop.122
FireEye Trojan.PWS.Agent.SVM
Emsisoft Trojan.PWS.Agent.SVM (B)
Jiangmin Trojan.PowerShell.Agent.k
MAX malware (ai score=80)
ZoneAlarm Trojan.PowerShell.Agent.mv
GData Trojan.PWS.Agent.SVM
ALYac Trojan.PWS.Agent.SVM
AVG Script:SNH-gen [Trj]