Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 25, 2024, 6:42 p.m.	Aug. 25, 2024, 6:59 p.m.

Size	929.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`377dcc031a12d3c0189afe684e4ad41e`
SHA256	`464e16f6d92d3c9eddeef69f7b1416fefb97817732155fe3549f37986d26fc44`
CRC32	`A3A19676`
ssdeep	`24576:DzZFjuoNQGf5CIEAi0TWYNXi+dvD/ReHBDW/R:DTCs3fti05JR9K4`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66ca20a26df75_PastaCache.exe#inst "C:\Users\test22\AppData\Local\Temp\66ca20a26df75_PastaCache.exe#inst"
1880
- cmd.exe "C:\Windows\System32\cmd.exe" /k move Kitchen Kitchen.bat & Kitchen.bat & exit
  2072
  - findstr.exe findstr /I "wrsa.exe opssvc.exe"
    2212
  - tasklist.exe tasklist
    2176
  - tasklist.exe tasklist
    2328
  - findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    2364
  - cmd.exe cmd /c md 104992
    2440
  - findstr.exe findstr /V "TIGERDENSITYCLAIREADDITIONAL" Vincent
    2484
  - cmd.exe cmd /c copy /b ..\Guild + ..\Reset + ..\Tasks + ..\Gordon + ..\Depends + ..\Tolerance I
    2528
  - Direct.pif Direct.pif I
    2572
  - choice.exe choice /d y /t 5
    2700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0

Command line console output was observed (50 out of 1056 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Collaboration=5 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: ekYOrganized console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Till Rainbow console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'ekYOrganized' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: ltWChallenged console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'ltWChallenged' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: ZDlVisitors console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Hybrid Enclosed Encounter Tommy Effectiveness Obligation console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'ZDlVisitors' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: uFiDome console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Privilege Interfaces Cl Ns Expanded console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'uFiDome' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: IUVOAnna console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Brush Bool Allows console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'IUVOAnna' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: ybFiling console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Laughing Courage Albania Decent Religion console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'ybFiling' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: JHSafely console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Briefing console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'JHSafely' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Dublin=n console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: jGZSQuilt console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Main Sum Arrived Peter Vs console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'jGZSQuilt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: PpDescribes console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Admitted Christian Moderator Dozens Rolled console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'PpDescribes' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: vWTClouds console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'vWTClouds' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: JuArtists console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: Infrastructure Enables Sum Guatemala Conscious console_handle: 0x00000007	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: 'JuArtists' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 25, 2024, 6:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2024, 6:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\104992\Direct.pif

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k move Kitchen Kitchen.bat & Kitchen.bat & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\104992\Direct.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\104992\Direct.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 25, 2024, 6:42 p.m.	show_type: 0 filepath_r: cmd parameters: /k move Kitchen Kitchen.bat & Kitchen.bat & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 25, 2024, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 25, 2024, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	"C:\Windows\System32\cmd.exe" /k move Kitchen Kitchen.bat & Kitchen.bat & exit
cmdline	cmd /k move Kitchen Kitchen.bat & Kitchen.bat & exit

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
McAfee	Artemis!377DCC031A12
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfeeD	ti!464E16F6D92D
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Trojan.Autoit.gen
Gridinsoft	Spy.Win32.Vidar.tr
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEHYZ
huorong	Trojan/Runner.ba
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 resumed a thread in remote process 2572
NtResumeThread Aug. 25, 2024, 6:42 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2572	1	0	0

66ca20a26df75_PastaCache.exe#inst

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All