Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 28, 2024, 11:06 a.m.	Oct. 28, 2024, 11:08 a.m.

Size	2.4MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`786b4f205c7fa681893586fdad7252a6`
SHA256	`99ddc0c50b140f2ca608125dd7208838564a2ed060156f2dbc89c5bc2e64cdf6`
CRC32	`51AC3497`
ssdeep	`12288:vjSSHddEugzhS6fYpyX2vYqk+k8hqTzmB/nmhTEPQtZCzQG7GbRoLs3dorA4LrO8:7F9dEulQX2Q3g+GP+61ItrfKlO4`
Yara	hide_executable_file - Hide executable file

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\networks.ps1
2556

Name	Response	Post-Analysis Lookup
cat.dashabi.in		142.171.189.54
cat.xiaoshabi.nl		114.44.86.11

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 28, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 28, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 56 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaoshabi.nl' failed: The console_handle: 0x00000023	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: At line:5 char:25 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x00000047	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaoshabi.nl:String) [ console_handle: 0x00000053	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: Test-Connection], PingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 28, 2024, 11:06 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaoshabi.nl' failed: The console_handle: 0x00000097	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaoshabi.nl:String) [ console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection], PingException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x000000df	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaoshabi.nl' failed: The console_handle: 0x00000023	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x00000047	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaoshabi.nl:String) [ console_handle: 0x00000053	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection], PingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.xiaoshabi.nl' failed: The console_handle: 0x00000023	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: requested name is valid, but no data of the requested type was found console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x00000047	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.xiaoshabi.nl:String) [ console_handle: 0x00000053	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection], PingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x00000097	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.dashabi.in:String) [Te console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: st-Connection], PingException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x000000df	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x00000117	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: At line:5 char:25 console_handle: 0x00000123	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + $pin=test-connection <<<< $t console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + CategoryInfo : ResourceUnavailable: (cat.dashabi.in:String) [Te console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: st-Connection], PingException console_handle: 0x00000147	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Com console_handle: 0x00000153	1	1
WriteConsoleW Oct. 28, 2024, 11:07 a.m.	buffer: mands.TestConnectionCommand console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 28, 2024, 11:08 a.m.	buffer: Test-Connection : Testing connection to computer 'cat.dashabi.in' failed: The r console_handle: 0x0000017f	1	1
WriteConsoleW Oct. 28, 2024, 11:08 a.m.	buffer: equested name is valid, but no data of the requested type was found console_handle: 0x0000018b	1	1

Uses Windows APIs to generate a cryptographic key (7 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 28, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b8658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 28, 2024, 11:06 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02801000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02803000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02804000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02805000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 28, 2024, 11:06 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Executes one or more WMI queries (2 events)

wmi	Select * from Win32_PingStatus where ((Address='cat.dashabi.in') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_PingStatus where ((Address='cat.xiaoshabi.nl') And TimeToLive=80 And BufferSize=32)

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Script.Mimikatz.4!c
ALYac	Application.HackTool.Mimikatz.AG
VIPRE	Application.HackTool.Mimikatz.AG
Arcabit	Application.HackTool.Mimikatz.AG
Symantec	Infostealer!im
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.A
TrendMicro-HouseCall	Trojan.PS1.WEMAEYE.AB
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Application.HackTool.Mimikatz.AG
MicroWorld-eScan	Application.HackTool.Mimikatz.AG
Emsisoft	Application.HackTool.Mimikatz.AG (B)
TrendMicro	Trojan.PS1.WEMAEYE.AB
FireEye	Application.HackTool.Mimikatz.AG
Ikarus	Trojan.PowerShell.Wemaeye
Google	Detected
Kingsoft	Script.Ks.Malware.9344
Microsoft	Trojan:PowerShell/Wemaeye.D
GData	Application.HackTool.Mimikatz.AG
Varist	ABRisk.GSEY-3
Tencent	Win32.Trojan.Generic.Jkjl
MAX	malware (ai score=77)
alibabacloud	HackTool:Win/mimikatz.A

networks.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All