Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 20, 2023, 6:04 p.m.	Oct. 20, 2023, 6:06 p.m.

Size	316.3KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`4264a92eea89c33e2f1727db5afca11d`
SHA256	`77d86d6048db2ceb3f322ac8463111035043ab08e8f7c53c7fee8825403fb2e3`
CRC32	`DB7979FD`
ssdeep	`6144:GbOHBHc6l2PhGx2WyA+P00/QkkilGw3ykMW8V:FHZTyW`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pwng.ps1
3036

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
107.167.110.211	Active	Moloch
185.82.216.96	Active	Moloch
164.124.101.2	Active	Moloch
193.42.33.7	Active	Moloch
45.15.156.229	Active	Moloch
85.143.220.63	Active	Moloch
85.217.144.143	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 106 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: Method invocation failed because [System.Collections.Generic.List`1[[System.Byt console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: e, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089] console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ]] doesn't contain a method named 'new'. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:60 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS = [System.Collections.Generic.List[Byte]]::new <<<< () console_handle: 0x00000053	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000077	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000097	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000000af	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000f3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000000ff	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000117	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000123	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000014f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x0000015b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x00000167	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000173	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x0000017f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000018b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000001db	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001e7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000207	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x00000213	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000021f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000237	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000243	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000263	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x0000026f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x0000027b	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000287	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x00000293	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000029f	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000002bf	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:6 char:21 console_handle: 0x000002cb	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + $EdiiitS.Add <<<< ([Convert]::ToByte($Ediiit.Substring($i, 8), 2)) console_handle: 0x000002d7	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000002e3	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: ion console_handle: 0x000002ef	1	1
WriteConsoleW Oct. 20, 2023, 6:03 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000002fb	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x051214a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x051214a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x051214a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 6:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x051214a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 6:03 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x088f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02609000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 6:03 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (6 events)

host	107.167.110.211
host	185.82.216.96
host	193.42.33.7
host	45.15.156.229
host	85.143.220.63
host	85.217.144.143

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

107.167.110.211:443

pwng.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All