Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2024, 10:03 a.m.	May 31, 2024, 10:08 a.m.

Size	3.5KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`01afbe1110a8dc2eb754291bd28685a5`
SHA256	`69058a18a6e55e1eeb90dcde70d6525c0e746d6e70f8856e5d08c24d8f45ac80`
CRC32	`5A4F044F`
ssdeep	`96:9gixvvOmxSMJSbsoWrC0lyl10lyzy0lk0lB:NvOFMJeSDzSLn`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\reverse_http.ps1
1508
- dw20.exe dw20.exe -x -s 980
  2172

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 10:02 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 10:02 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 31, 2024, 10:02 a.m.	stacktrace: exception.instruction_r: 6e 65 74 00 41 56 48 89 e1 49 c7 c2 4c 77 26 07 exception.instruction: outsb dx, byte ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x54900e1 registers.esp: 102627836 registers.edi: 0 registers.eax: 1971270582 registers.ebp: 88670218 registers.edx: 88670208 registers.ebx: 0 registers.esi: 1768843639 registers.ecx: 4294967295	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05256000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05490000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

dw20.exe -x -s 980

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Script.Rozena.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	BAT.Powershell.5044
Skyhigh	BehavesLike.PS.Dropper.zn
ALYac	Generic.PwShell.Rozena.3.A5B0FBB0
VIPRE	Generic.PwShell.Rozena.3.A5B0FBB0
Sangfor	Malware.Generic-PS.Save.d41b8e2c
Arcabit	Generic.PwShell.Rozena.3.A5B0FBB0
Symantec	ISB.Downloader!gen185
ESET-NOD32	PowerShell/Kryptik.Z
McAfee	PS/Dropper.b
Avast	PwrSh:PowerSploit-D [Trj]
ClamAV	Win.Trojan.CobaltStrike-7917400-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Generic.PwShell.Rozena.3.A5B0FBB0
MicroWorld-eScan	Generic.PwShell.Rozena.3.A5B0FBB0
Rising	Trojan.Rozena!8.6D (TOPIS:E0:5gmxX3fyCOD)
Emsisoft	Generic.PwShell.Rozena.3.A5B0FBB0 (B)
F-Secure	Trojan.TR/PowerShell.Gen
DrWeb	PowerShell.DownLoader.1984
FireEye	Generic.PwShell.Rozena.3.A5B0FBB0
Sophos	ATK/Tlaboc-A
Ikarus	Trojan.PowerShell.Crypt
Google	Detected
Avira	TR/PowerShell.Gen
Kingsoft	Win32.Troj.Undef.a
Microsoft	TrojanDropper:PowerShell/Ploty.C
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Generic.PwShell.Rozena.3.A5B0FBB0
Varist	PSH/Rozena.A.gen!Camelot
Tencent	Win32.Trojan.Generic.Vgil
MAX	malware (ai score=80)
AVG	PwrSh:PowerSploit-D [Trj]
alibabacloud	Backdoor

reverse_http.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All