Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 17, 2024, 10:13 p.m.	Aug. 17, 2024, 10:27 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ff83471ce09ebbe0da07d3001644b23c`
SHA256	`9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba`
CRC32	`3BA86D43`
ssdeep	`24576:nK7tMGUfQtpOdk3xWBq0qWH6JubmMTzfZwLDC4pZylqUAc2:JQ7AkiqQaJjMHWvlpOqUt2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

NorthSperm.exe "C:\Users\test22\AppData\Local\Temp\NorthSperm.exe"
2056
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
  2148
  - tasklist.exe tasklist
    2256
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2292
  - tasklist.exe tasklist
    2404
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2440
  - cmd.exe cmd /c md 719580
    2512
  - findstr.exe findstr /V "copehebrewinquireinnocent" Corpus
    2560
  - cmd.exe cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
    2604
  - Optimum.pif Optimum.pif f
    2648
  - choice.exe choice /d y /t 5
    2732

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0

Command line console output was observed (50 out of 1253 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Yrs=Z console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: gndNPine console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Urw Url Dk Appearance Exception Creating Latter console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'gndNPine' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: sDBMDear console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Forecasts Ss Tv Transport Bangladesh Genetics console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'sDBMDear' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: EhojDefend console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Kit Discounted console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'EhojDefend' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: dxTvs console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Judges Examine Transparent Investments Male Doctrine Treasury console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'dxTvs' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: uKxISymantec console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Locale Idea console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'uKxISymantec' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Mail=O console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: vSaJShow console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'vSaJShow' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: YqBelt console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Derek Celebrities Strips Seller Republicans Antarctica console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'YqBelt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: nzPbInvestigations console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Med Ribbon Monday Alive Fox Washington Smooth console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'nzPbInvestigations' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: VKvrOttawa console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Shown console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'VKvrOttawa' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: BfVAmd console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: Inquiries Difficulty console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'BfVAmd' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: numAAffiliation console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: 'numAAffiliation' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 17, 2024, 10:13 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\719580\Optimum.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\719580\Optimum.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\719580\Optimum.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 17, 2024, 10:13 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Surrey Surrey.cmd && Surrey.cmd && exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 17, 2024, 10:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 17, 2024, 10:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

tasklist

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2148 resumed a thread in remote process 2648
NtResumeThread Aug. 17, 2024, 10:13 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2648	1	0	0

NorthSperm.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All