Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 11, 2024, 5:45 p.m.	July 11, 2024, 5:48 p.m.

Size	711.8KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`ed5c34496df2011a496b53abc7034a0d`
SHA256	`1d1126c994761ec652e9b49a7c028545dc3d381cc49163ab45cece7be31ea793`
CRC32	`68E8D26A`
ssdeep	`3072:m9KqylccWmDwZmT8VjG3/Dyqr4cwt9aU0ruzjzuJmmwc0/Kz0o+i/6n/cGyjBhKh:z+26xhfptqUk84LnO5mH9OdHUb3ngoI`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\reg.jpg.vbs.ps1
3024

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 65 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Task not found. Creating task... console_handle: 0x0000001f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Name : MicrosoftEdgeUpdateTask console_handle: 0x0000002f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Path : \MicrosoftEdgeUpdateTask console_handle: 0x00000033	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: State : 3 console_handle: 0x00000037	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Enabled : True console_handle: 0x0000003b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000003f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: LastTaskResult : 1 console_handle: 0x00000043	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x00000047	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: NextRunTime : 2024-07-11 오후 6:47:57 console_handle: 0x0000004b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Definition : System.__ComObject console_handle: 0x0000004f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x00000053	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x00000057	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x0000005b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RegistrationInfo> console_handle: 0x0000005f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x00000063	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: n> console_handle: 0x00000067	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </RegistrationInfo> console_handle: 0x0000006b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Triggers> console_handle: 0x0000006f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <TimeTrigger> console_handle: 0x00000073	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Repetition> console_handle: 0x00000077	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x0000007b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x0000007f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </Repetition> console_handle: 0x00000083	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StartBoundary>2024-07-11T18:45:57</StartBoundary> console_handle: 0x00000087	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x0000008b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </TimeTrigger> console_handle: 0x0000008f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </Triggers> console_handle: 0x00000093	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Settings> console_handle: 0x00000097	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x0000009b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: olicy> console_handle: 0x0000009f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x000000a3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: tteries> console_handle: 0x000000a7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x000000ab	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x000000af	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x000000b3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x000000b7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: lable> console_handle: 0x000000bb	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <IdleSettings> console_handle: 0x000000bf	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x000000c3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <WaitTimeout>PT1H</WaitTimeout> console_handle: 0x000000c7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopOnIdleEnd>true</StopOnIdleEnd> console_handle: 0x000000cb	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RestartOnIdle>false</RestartOnIdle> console_handle: 0x000000cf	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </IdleSettings> console_handle: 0x000000d3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <AllowStartOnDemand>true</AllowStartOnDemand> console_handle: 0x000000d7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000db	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Hidden>false</Hidden> console_handle: 0x000000df	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RunOnlyIfIdle>false</RunOnlyIfIdle> console_handle: 0x000000e3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <WakeToRun>false</WakeToRun> console_handle: 0x000000e7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> console_handle: 0x000000eb	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Priority>7</Priority> console_handle: 0x000000ef	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0500cd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0500cd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0500cd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0500cd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 11, 2024, 5:45 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0227f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02209000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x076e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06343000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06344000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat
file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs
file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RunScheduledTask

reg_value

powershell.exe -ExecutionPolicy Bypass -File "System.Management.Automation.InvocationInfo.MyCommand.Path"

Stores PowerShell commands in the registry likely for persistence (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW July 11, 2024, 5:45 p.m.	key_handle: 0x00000394 regkey_r: RunScheduledTask reg_type: 1 (REG_SZ) value: powershell.exe -ExecutionPolicy Bypass -File "System.Management.Automation.InvocationInfo.MyCommand.Path" regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RunScheduledTask	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Script.Generic.4!c
ALYac	Trojan.GenericKD.73270264
VIPRE	Trojan.GenericKD.73270264
Arcabit	Trojan.Generic.D45E03F8
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Generik.DCMMTQW
TrendMicro-HouseCall	Backdoor.PS1.ASYNCRAT.YXEFXZ
Avast	Script:SNH-gen [Trj]
BitDefender	Trojan.GenericKD.73270264
MicroWorld-eScan	Trojan.GenericKD.73270264
Rising	Trojan.Undefined!8.1327C (TOPIS:E0:fPZYvCxD07)
Emsisoft	Trojan.GenericKD.73270264 (B)
TrendMicro	Backdoor.PS1.ASYNCRAT.YXEFXZ
FireEye	Trojan.GenericKD.73270264
Ikarus	Trojan-Dropper.PowerShell.Agent
Google	Detected
Microsoft	Trojan:Win32/Casdet!rfn
GData	Trojan.GenericKD.73270264
Varist	ABTrojan.QPYO-
MAX	malware (ai score=88)
AVG	Script:SNH-gen [Trj]
alibabacloud	Trojan:Unknow/Casdet.Gen

reg.jpg.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All