Analysis Overview
SHA256
62ea8ac2927d5de142414964ba812d8fbd18b890569f39d2ed9ef79a538eac49
Threat Level: Known bad
The file PisiValo.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Downloads MZ/PE file
Sets service image path in registry
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 11:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 11:21
Reported
2024-05-30 11:24
Platform
win10-20240404-en
Max time kernel
73s
Max time network
80s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3384 created 2496 | N/A | C:\Windows\SysWOW64\notepad.exe | c:\windows\system32\sihost.exe |
Downloads MZ/PE file
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DarDNKyIcBsewK\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DarDNKyIcBsewK" | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\temp89103.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Temp423810.bat | C:\Windows\SysWOW64\notepad.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\Download\vac.sys | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\drvloader.exe | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PisiValo.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\PisiValo.exe
"C:\Users\Admin\AppData\Local\Temp\PisiValo.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp321340.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command " $action = New-ScheduledTaskAction -Execute 'C:\Windows\SysWOW64\temp89103.vbs'; $trigger = New-ScheduledTaskTrigger -AtLogOn; $principal = New-ScheduledTaskPrincipal -UserId 'Admin' -LogonType Interactive -RunLevel Highest; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; $task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings; Register-ScheduledTask -TaskName 'PrintCleanUpper' -InputObject $task -Force;"
C:\Windows\SoftwareDistribution\Download\drvloader.exe
"C:\Windows\SoftwareDistribution\Download\drvloader.exe" C:\Windows\SoftwareDistribution\Download\vac.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color e
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 904
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c
Network
| Country | Destination | Domain | Proto |
| NL | 147.78.103.70:80 | 147.78.103.70 | tcp |
| US | 8.8.8.8:53 | z-kasino.com | udp |
| NL | 147.78.103.70:80 | z-kasino.com | tcp |
| US | 8.8.8.8:53 | 70.103.78.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2988-0-0x00000200AA790000-0x00000200AA79C000-memory.dmp
memory/4664-2-0x00000000060E0000-0x00000000060ED000-memory.dmp
memory/4664-3-0x00000000060E0000-0x00000000060ED000-memory.dmp
memory/3384-5-0x0000000005A40000-0x0000000005AAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp321340.bat
| MD5 | b44256f47d786b6add91128beb31d766 |
| SHA1 | 5ca8e5bc6d0a82fdff3ff8e8c74dc8112fd13fd3 |
| SHA256 | ad97cc4569146bf5216cdb35b528f4519a1376e3c81e155064543faf2805ebd7 |
| SHA512 | e80abf537923d6025b986f27b756d6b6429cf00a7cdc5bf8096eeb468dafa84f4e34c6bf2ac88f96259745b76832fc15d59c1cdf7c0393558adeeefac94dfd05 |
C:\Windows\SoftwareDistribution\Download\drvloader.exe
| MD5 | 34cfbe3ff70461820ccc31a1afeec0b3 |
| SHA1 | 5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9 |
| SHA256 | 6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df |
| SHA512 | 1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e |
memory/4264-18-0x0000000004690000-0x00000000046C6000-memory.dmp
memory/4264-20-0x0000000006E80000-0x00000000074A8000-memory.dmp
memory/4264-23-0x0000000006C80000-0x0000000006CA2000-memory.dmp
memory/4264-24-0x00000000074B0000-0x0000000007516000-memory.dmp
memory/4264-25-0x0000000007520000-0x0000000007586000-memory.dmp
memory/4264-26-0x0000000007770000-0x0000000007AC0000-memory.dmp
memory/3384-27-0x0000000006BC0000-0x0000000006FC0000-memory.dmp
memory/3384-28-0x0000000006BC0000-0x0000000006FC0000-memory.dmp
memory/3384-29-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/4264-31-0x00000000076B0000-0x00000000076CC000-memory.dmp
memory/3384-32-0x0000000073C50000-0x0000000073E12000-memory.dmp
memory/3352-33-0x0000000002690000-0x0000000002699000-memory.dmp
memory/4264-34-0x0000000007B40000-0x0000000007B8B000-memory.dmp
memory/3352-36-0x0000000004180000-0x0000000004580000-memory.dmp
memory/3352-37-0x00007FFA7F190000-0x00007FFA7F36B000-memory.dmp
memory/3352-39-0x0000000073C50000-0x0000000073E12000-memory.dmp
memory/4264-40-0x0000000007E50000-0x0000000007EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbdygojg.xor.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4264-57-0x0000000008CF0000-0x0000000008D23000-memory.dmp
memory/4264-58-0x000000006EE80000-0x000000006EECB000-memory.dmp
memory/4264-59-0x0000000008CD0000-0x0000000008CEE000-memory.dmp
memory/4264-64-0x0000000009120000-0x00000000091C5000-memory.dmp
memory/4264-65-0x0000000009270000-0x0000000009304000-memory.dmp
memory/4664-153-0x00000000060E0000-0x00000000060ED000-memory.dmp