Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 11, 2024, 5:44 p.m.	Sept. 11, 2024, 5:47 p.m.

Size	1.8MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`c96ca6878a5c726ddf6a75c35a1d84f4`
SHA256	`614cf92bd6065a7605f8015c6694e8de8bd45e2e7805d2d153bb08d6bc90817c`
CRC32	`A86C1C01`
ssdeep	`24576:OEAK/u4v5LPuJkXlKetJiJFhwIAX5Rc5LsmkMXY6Mj6ZifQdyGVzF9iAwVKRxS:v`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (43 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Method invocation failed because [System.Byte[]] doesn't contain a method named console_handle: 0x00000023	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1:4 char:22 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + $data = [byte[]]::new <<<< ($encodedData.Length / 2) console_handle: 0x00000047	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x00000053	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ion console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Cannot convert argument "0", with value: "CommonDocuments", for "GetFolderPath" console_handle: 0x0000008b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: to type "System.Environment+SpecialFolder": "Cannot convert value "CommonDocum console_handle: 0x00000097	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ents" to type "System.Environment+SpecialFolder" due to invalid enumeration val console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ues. Specify one of the following enumeration values and try again. The possibl console_handle: 0x000000af	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: e enumeration values are "Desktop, Programs, Personal, MyDocuments, Favorites, console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Startup, Recent, SendTo, StartMenu, MyMusic, DesktopDirectory, MyComputer, Temp console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: lates, ApplicationData, LocalApplicationData, InternetCache, Cookies, History, console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: CommonApplicationData, System, ProgramFiles, MyPictures, CommonProgramFiles"." console_handle: 0x000000df	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1:9 char:73 console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + $mp3Path = [System.IO.Path]::Combine([System.Environment]::GetFolderPath <<<< console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ('CommonDocuments'), 'RfQK.mp3') console_handle: 0x00000103	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x0000013b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Parameter name: bytes" console_handle: 0x00000147	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1:10 char:32 console_handle: 0x00000153	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + [System.IO.File]::WriteAllBytes <<<< ($mp3Path, $data) console_handle: 0x0000015f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000016b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000177	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Rename-Item : Cannot bind argument to parameter 'Path' because it is null. console_handle: 0x00000197	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1:13 char:18 console_handle: 0x000001a3	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + Rename-Item -Path <<<< $mp3Path -NewName $exePath console_handle: 0x000001af	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + CategoryInfo : InvalidData: (:) [Rename-Item], ParameterBinding console_handle: 0x000001bb	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ValidationException console_handle: 0x000001c7	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M console_handle: 0x000001d3	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: icrosoft.PowerShell.Commands.RenameItemCommand console_handle: 0x000001df	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Start-Process : Cannot validate argument on parameter 'ArgumentList'. The argum console_handle: 0x000001ff	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ent is null or empty. Supply an argument that is not null or empty and then try console_handle: 0x0000020b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: the command again. console_handle: 0x00000217	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\jIML.txt.ps1:15 char:52 console_handle: 0x00000223	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + Start-Process -FilePath 'conhost.exe' -ArgumentList <<<< $exePath -NoNewWind console_handle: 0x0000022f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ow console_handle: 0x0000023b	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + CategoryInfo : InvalidData: (:) [Start-Process], ParameterBindi console_handle: 0x00000247	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: ngValidationException console_handle: 0x00000253	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Power console_handle: 0x0000025f	1	1
WriteConsoleW Sept. 11, 2024, 5:44 p.m.	buffer: Shell.Commands.StartProcessCommand console_handle: 0x0000026b	1	1

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 11, 2024, 5:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04feb898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 11, 2024, 5:44 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06470000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2024, 5:44 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

ALYac	Trojan.PowerShell.Agent
VIPRE	Trojan.GenericKD.74069599
Arcabit	Trojan.Generic.D46A365F
VirIT	Trojan.PS.Agent.DBN
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	PowerShell/TrojanDropper.Agent.AKT
BitDefender	Trojan.GenericKD.74069599
MicroWorld-eScan	Trojan.GenericKD.74069599
Emsisoft	Trojan.GenericKD.74069599 (B)
FireEye	Trojan.GenericKD.74069599
Ikarus	Trojan.Script
Google	Detected
MAX	malware (ai score=80)
Microsoft	Trojan:Script/Phonzy.B!ml
GData	Trojan.GenericKD.74069599
alibabacloud	Trojan[dropper]:Win/Agent.AHB

jIML.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All