Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 31, 2023, 9:39 a.m.	Oct. 31, 2023, 9:41 a.m.

Size	2.0KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`528a5f5edfe25fd728b5ce082b107dca`
SHA256	`836bc51e695adffcfa55318d9eab391384c5a6eb83efbfcc951072cb96f12b88`
CRC32	`ECD216E9`
ssdeep	`48:zZ+onhYxPxRrlTXAw0JThCipAg6n0vfv1UnNzzMTPJ3:zZ+Ec5RNCL`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Dash.ps1
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 540 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: Get-Content : A parameter cannot be found that matches parameter name 'Raw'. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:18 char:59 console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $Jxxxe = (Get-Content -Path "C:\Users\Public\msg.txt" -Raw <<<< ) -replace "% console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ","0" -replace "!","1" -replace "@","A" console_handle: 0x00000047	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Get-Content], ParameterBin console_handle: 0x00000053	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: dingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ands.GetContentCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: Get-Content : A parameter cannot be found that matches parameter name 'Raw'. console_handle: 0x00000097	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:21 char:62 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $geGWHZ = (Get-Content -Path "C:\Users\Public\runpe.txt" -Raw <<<< ) -replace console_handle: 0x000000af	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: "%","0" -replace "!","1" -replace "@","A" console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Get-Content], ParameterBin console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: dingException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x000000df	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ands.GetContentCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: Method invocation failed because [System.Collections.Generic.List`1[[System.Byt console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: e, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089] console_handle: 0x00000117	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ]] doesn't contain a method named 'new'. console_handle: 0x00000123	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:2 char:55 console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $JS = [System.Collections.Generic.List[Byte]]::new <<<< () console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x00000147	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ion console_handle: 0x00000153	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000017f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:4 char:16 console_handle: 0x0000018b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000197	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000001a3	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ion console_handle: 0x000001af	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001bb	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000000f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:4 char:16 console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000033	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000043	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ion console_handle: 0x00000053	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:4 char:16 console_handle: 0x0000008b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000097	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ion console_handle: 0x000000af	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000db	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:4 char:16 console_handle: 0x000000e7	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x000000f3	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000ff	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: ion console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000117	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000137	1	1
WriteConsoleW Oct. 31, 2023, 9:39 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Dash.ps1:4 char:16 console_handle: 0x00000143	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2023, 9:39 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0225b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02239000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06421000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0642a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0643b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0643c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:40 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0643d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:40 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	PowerShell/Agent.BET
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen

Dash.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All