Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 28, 2024, 11:06 a.m.	Oct. 28, 2024, 11:08 a.m.

Size	2.3MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`06efa98e5fee566bb1a9ef4b36abff34`
SHA256	`590218400886d51989625ecd9e1085a98cc41cee42748f2858faabbc006228e6`
CRC32	`A7ACB575`
ssdeep	`12288:vjSSHddEugzhS6fYpyX2vYqk+k8hqTzmB/nmhTEPQtZCzQG7GbRoLs3dorA4LrO1:7F9dEulQX2Q3g+GP+61ItrfKlOB`
Yara	hide_executable_file - Hide executable file

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\networks.ps1
1952

Name	Response	Post-Analysis Lookup
cat.dashabi.in		142.171.189.54
cat.xiaojiji.nl		142.171.224.194

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 28, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 28, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 56 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaojiji.nl' failed: The console_handle: 0x00000023	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: At line:5 char:25 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x00000047	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaojiji.nl:String) [T console_handle: 0x00000053	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: est-Connection], PingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaojiji.nl' failed: The console_handle: 0x00000097	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: At line:5 char:25 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaojiji.nl:String) [T console_handle: 0x00000027	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: est-Connection], PingException console_handle: 0x00000033	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000003f	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x0000004b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaojiji.nl' failed: The console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x00000077	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x00000083	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaojiji.nl:String) [T console_handle: 0x000000c3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: est-Connection], PingException console_handle: 0x000000cf	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x000000db	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x000000e7	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaojiji.nl' failed: The console_handle: 0x00000107	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x00000113	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x0000011f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x0000012b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaojiji.nl:String) [T console_handle: 0x00000137	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: est-Connection], PingException console_handle: 0x00000143	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000014f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x0000015b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x0000017b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x00000187	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x00000193	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x0000019f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.dashabi.in:String) [Te console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: st-Connection], PingException console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x000001ef	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x000001fb	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x00000207	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x00000213	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.dashabi.in:String) [Te console_handle: 0x0000021f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: st-Connection], PingException console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x00000237	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x00000243	1	1
WriteConsoleW Oct. 28, 2024, 11:08 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x00000263	1	1
WriteConsoleW Oct. 28, 2024, 11:08 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x0000026f	1	1

Uses Windows APIs to generate a cryptographic key (7 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e84f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 28, 2024, 11:06 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Executes one or more WMI queries (2 events)

wmi	Select * from Win32_PingStatus where ((Address='cat.dashabi.in') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_PingStatus where ((Address='cat.xiaojiji.nl') And TimeToLive=80 And BufferSize=32)

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

ClamAV	Win.Downloader.WannaMine-6442440-2
Sangfor	Trojan.Generic-PS.Save.9dd85128
TrendMicro-HouseCall	Coinminer.PS1.WANNAMINE.C
Kaspersky	HEUR:Trojan.PowerShell.Generic
TrendMicro	Coinminer.PS1.WANNAMINE.C
Microsoft	HackTool:Win32/Mikatz

networks.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All