Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 24, 2024, 6:55 p.m.	Aug. 24, 2024, 7:13 p.m.

Size	3.5KB
Type	ASCII text, with very long lines
MD5	`194d1495881b3eb9703f20e7d48eaefd`
SHA256	`440483f6bcb2ff8dca2d44e715f72db314056ad7e90ccb48135ad5c9a8c0f578`
CRC32	`143187BF`
ssdeep	`96:lg5SvvvOmVeLU16pgtar9jN1v0lgMk0lobXl:OIvOPLU16p8GyZZ6l`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\payload_x86.ps1
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.248.229.104	Active	Moloch
83.229.120.79	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2024, 6:55 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:55 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (2 events)

host	104.248.229.104
host	83.229.120.79

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Script.Rozena.4!c
ClamAV	Win.Trojan.CobaltStrike-7917400-0
CAT-QuickHeal	Script.Trojan.Script.42926
Skyhigh	BehavesLike.PS.Dropper.zn
ALYac	Trojan.GenericKD.61412212
VIPRE	Trojan.GenericKD.61412212
Sangfor	Malware.Generic-PS.Save.d41b8e2c
Arcabit	Trojan.Generic.D3A91374
Symantec	Backdoor.Cobalt
ESET-NOD32	Win32/Rozena.ACE
McAfee	PS/Rozena.b
Avast	PwrSh:Dropper-F [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Trojan.GenericKD.61412212
NANO-Antivirus	Trojan.Script.Rozena.haktke
MicroWorld-eScan	Trojan.GenericKD.61412212
Rising	Trojan.Injector/PS!1.D1D5 (CLASSIC)
Emsisoft	Trojan.GenericKD.61412212 (B)
F-Secure	Trojan.TR/Coblat.G1
DrWeb	PowerShell.Inject.60
TrendMicro	Trojan.PS1.COBEACON.SMYXAK-B
FireEye	Trojan.GenericKD.61412212
Sophos	ATK/Tlaboc-A
Ikarus	Trojan.PS.Agent
Google	Detected
Avira	TR/Coblat.G1
MAX	malware (ai score=87)
Kingsoft	Script.Trojan.Generic.a
Gridinsoft	Trojan.U.Gen.tr
Microsoft	TrojanDropper:PowerShell/Cobacis.B
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	Trojan.GenericKD.61412212
Varist	PSH/Agent.BO
AhnLab-V3	Trojan/PowerShell.CobaltStrike.S1463
Tencent	Unk.Win32.Script.404610
huorong	Trojan/PS.Rozena.b
AVG	PwrSh:Dropper-F [Trj]
alibabacloud	Trojan[dropper]:Win/Rozena.AWM

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49164
dead_host	83.229.120.79:9991

payload_x86.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All