Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 15, 2023, 10:47 a.m.	Nov. 15, 2023, 10:50 a.m.

Size	318.1KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`a882757ac81f77747ab828a4b3e25e34`
SHA256	`20121e76573710d33504c11c06c2c338322bdc1781f662244d391c02c34f6a37`
CRC32	`1B34BCC7`
ssdeep	`3072:r9Eq9nWnB2PhGx2WyA+P00/QkkilGeANm7LEFkMW84:pEqy2PhGx2WyA+P00/QkkilGw3ykMW84`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pwng.ps1
2572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 510 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: Method invocation failed because [System.Collections.Generic.List`1[[System.Byt console_handle: 0x0000001f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: e, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089] console_handle: 0x0000002b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ]] doesn't contain a method named 'new'. console_handle: 0x00000037	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:2 char:59 console_handle: 0x00000043	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS = [System.Collections.Generic.List[Byte]]::new <<<< () console_handle: 0x0000004f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000005b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x00000067	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000073	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000093	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x0000009f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x000000ab	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000b7	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x000000c3	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000cf	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000ef	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x000000fb	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000107	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000113	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x0000011f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000012b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000014b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x00000157	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000163	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x0000016f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x0000017b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000187	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001a7	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x000001b3	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x000001bf	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000001cb	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x000001d7	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001e3	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000203	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x0000020f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x0000021b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000227	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x00000233	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000023f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000025f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x0000026b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000277	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000283	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x0000028f	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000029b	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000002bb	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pwng.ps1:4 char:20 console_handle: 0x000002c7	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + $JxxxeS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x000002d3	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000002df	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: ion console_handle: 0x000002eb	1	1
WriteConsoleW Nov. 15, 2023, 10:48 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000002f7	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 15, 2023, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05ff0c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 15, 2023, 10:47 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 15, 2023, 10:47 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:47 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x073a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2023, 10:48 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Symantec	Backdoor.ASync!gm
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
Google	Detected
Ikarus	Trojan.MSIL.Agent
AVG	Script:SNH-gen [Trj]

pwng.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All