Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2023, 6:03 p.m.	Oct. 20, 2023, 6:05 p.m.

Size	264.3KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`5a84bbec3102aac19960d5d6c55bc825`
SHA256	`28c24aa0f9bd0378917e3dc12c192c8d12f4db362c6007ae08e1bdaf86418912`
CRC32	`B94E9BCF`
ssdeep	`1536:lDjiGqQfLQuIMSR7e7MTQq1EocVqaIJvPMt6I20KbFh7c26P/b+efa9uQb2BNtxr:lgdVPBRVSwEKZ8Mgv`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pwng.ps1
1572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 106 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: Method invocation failed because [System.Collections.Generic.List`1[[System.Byt console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: e, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089] console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ]] doesn't contain a method named 'new'. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:60 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS = [System.Collections.Generic.List[Byte]]::new <<<< () console_handle: 0x00000053	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000077	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000097	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000000af	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000f3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000000ff	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000117	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000123	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000014f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x0000015b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x00000167	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000173	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x0000017f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000018b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000001db	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001e7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000207	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x00000213	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000021f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000237	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000243	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000263	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x0000026f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000027b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000287	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000293	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000029f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000002bf	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000002cb	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000002d7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000002e3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000002ef	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000002fb	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e882b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e882b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e882b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e882b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 6:03 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02469000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

pwng.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All