Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.06 06:07
build.exe
07.06 06:07
CoronaVirus.exe
07.06 06:07
RedLineStealer.exe
07.06 06:07
stealc_zov.exe
07.06 06:07
newbuild.exe
07.06 06:07
setup.exe
07.06 06:07
leva.exe
07.06 06:07
CryptoWall.exe
07.06 06:07
univ.exe
07.06 06:07
inte.exe

Latest News
07.07 12:07
USENIX Security ’23 – ...
07.06 10:07
Researchers Discover C...
07.06 10:07
New Mallox Ransomware ...
07.06 09:07
[한 주를 관통하는 보안 소식] 2024...
07.06 09:07
[퀴즈 이·보·소] 최근 벌어진 국내외 ...
07.06 08:07
김포시, 70만 김포시대 대비해 최첨단 ...
07.06 08:07
식약처, ‘체외진단의료기기 품질관리 및 ...
07.06 08:07
코레일, 정보보호의 날 맞아 ‘사이버 안...
07.06 08:07
소프트웨어 가치 보장, 발주자가 앞장선다
07.06 08:07
‘AI 과학기술 강군 육성’을 위한 발돋...

Summary | ZeroBOX

tes.ps1

Generic Malware Antivirus

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 14, 2024, 5:47 p.m.	June 14, 2024, 5:49 p.m.

Size	3.0KB
Type	ASCII text
MD5	`bfb1332339eda5252ef18e4a877bccba`
SHA256	`411a909fc55acca2da7ebc8b653121416b3adf58d155dca37afeae808ccf9750`
CRC32	`CDFECDEF`
ssdeep	`48:3Vd2WKmlhrMYy3CQAcFCbpNzNqiPjdF40/8PF36QC8IkBtUezw:lfTI3CQAgCbQ2jTeeuBtUOw`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\tes.ps1
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Uses Windows APIs to generate a cryptographic key (2 events)

Time & API	Arguments	Status	Return	Repeated
CryptExportKey June 14, 2024, 5:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055c16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey June 14, 2024, 5:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055c16f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 14, 2024, 5:47 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 14, 2024, 5:47 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 14, 2024, 5:47 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 14, 2024, 5:47 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 14, 2024, 5:47 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0