darkcomet | ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0

Processes:

YouTubeUrlDirector.exeYouTubeDirector2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\9epU0FMovytS\\svchost.exe"	YouTubeUrlDirector.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\9epU0FMovytS\\svchost.exe,C:\\Users\\Admin\\AppData\\Roaming\\APP\\svchosts.exe"	YouTubeDirector2.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

svchost.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

YouTubeDirector2.exeYouTubeUrlDirector.exesvchosts.exesvchost.exe

pid process

3500 YouTubeDirector2.exe
3580 YouTubeUrlDirector.exe
3420 svchosts.exe
2980 svchost.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
3500	YouTubeDirector2.exe
3580	YouTubeUrlDirector.exe
3420	svchosts.exe
2980	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YouTubeDirector2.exe	upx
C:\Users\Admin\AppData\Local\Temp\YouTubeDirector2.exe	upx
C:\Users\Admin\AppData\Roaming\APP\svchosts.exe	upx
C:\Users\Admin\AppData\Roaming\APP\svchosts.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exeYouTubeDirector2.exeYouTubeUrlDirector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	YouTubeDirector2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	YouTubeUrlDirector.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

YouTubeDirector2.exesvchost.exeiexplore.exeYouTubeUrlDirector.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEM = "C:\\Users\\Admin\\AppData\\Roaming\\APP\\svchosts.exe"	YouTubeDirector2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\9epU0FMovytS\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\9epU0FMovytS\\svchost.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\9epU0FMovytS\\svchost.exe"	YouTubeUrlDirector.exe

Drops file in System32 directory 4 IoCs

Processes:

YouTubeUrlDirector.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\9epU0FMovytS\	YouTubeUrlDirector.exe
File created	C:\Windows\SysWOW64\svchost.exe	YouTubeUrlDirector.exe
File created	C:\Windows\SysWOW64\9epU0FMovytS\svchost.exe	YouTubeUrlDirector.exe
File opened for modification	C:\Windows\SysWOW64\9epU0FMovytS\svchost.exe	YouTubeUrlDirector.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2980 set thread context of 1916 2980 svchost.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2980 set thread context of 1916	2980	svchost.exe	iexplore.exe

Modifies registry class 1 IoCs

Processes:

YouTubeUrlDirector.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	YouTubeUrlDirector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1916 iexplore.exe

pid	process
1916	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

YouTubeDirector2.exeYouTubeUrlDirector.exesvchosts.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3500	YouTubeDirector2.exe
Token: SeSecurityPrivilege	3500	YouTubeDirector2.exe
Token: SeTakeOwnershipPrivilege	3500	YouTubeDirector2.exe
Token: SeLoadDriverPrivilege	3500	YouTubeDirector2.exe
Token: SeSystemProfilePrivilege	3500	YouTubeDirector2.exe
Token: SeSystemtimePrivilege	3500	YouTubeDirector2.exe
Token: SeProfSingleProcessPrivilege	3500	YouTubeDirector2.exe
Token: SeIncBasePriorityPrivilege	3500	YouTubeDirector2.exe
Token: SeCreatePagefilePrivilege	3500	YouTubeDirector2.exe
Token: SeBackupPrivilege	3500	YouTubeDirector2.exe
Token: SeRestorePrivilege	3500	YouTubeDirector2.exe
Token: SeShutdownPrivilege	3500	YouTubeDirector2.exe
Token: SeDebugPrivilege	3500	YouTubeDirector2.exe
Token: SeSystemEnvironmentPrivilege	3500	YouTubeDirector2.exe
Token: SeChangeNotifyPrivilege	3500	YouTubeDirector2.exe
Token: SeRemoteShutdownPrivilege	3500	YouTubeDirector2.exe
Token: SeUndockPrivilege	3500	YouTubeDirector2.exe
Token: SeManageVolumePrivilege	3500	YouTubeDirector2.exe
Token: SeImpersonatePrivilege	3500	YouTubeDirector2.exe
Token: SeCreateGlobalPrivilege	3500	YouTubeDirector2.exe
Token: 33	3500	YouTubeDirector2.exe
Token: 34	3500	YouTubeDirector2.exe
Token: 35	3500	YouTubeDirector2.exe
Token: 36	3500	YouTubeDirector2.exe
Token: SeIncreaseQuotaPrivilege	3580	YouTubeUrlDirector.exe
Token: SeSecurityPrivilege	3580	YouTubeUrlDirector.exe
Token: SeTakeOwnershipPrivilege	3580	YouTubeUrlDirector.exe
Token: SeLoadDriverPrivilege	3580	YouTubeUrlDirector.exe
Token: SeSystemProfilePrivilege	3580	YouTubeUrlDirector.exe
Token: SeSystemtimePrivilege	3580	YouTubeUrlDirector.exe
Token: SeProfSingleProcessPrivilege	3580	YouTubeUrlDirector.exe
Token: SeIncBasePriorityPrivilege	3580	YouTubeUrlDirector.exe
Token: SeCreatePagefilePrivilege	3580	YouTubeUrlDirector.exe
Token: SeBackupPrivilege	3580	YouTubeUrlDirector.exe
Token: SeRestorePrivilege	3580	YouTubeUrlDirector.exe
Token: SeShutdownPrivilege	3580	YouTubeUrlDirector.exe
Token: SeDebugPrivilege	3580	YouTubeUrlDirector.exe
Token: SeSystemEnvironmentPrivilege	3580	YouTubeUrlDirector.exe
Token: SeChangeNotifyPrivilege	3580	YouTubeUrlDirector.exe
Token: SeRemoteShutdownPrivilege	3580	YouTubeUrlDirector.exe
Token: SeUndockPrivilege	3580	YouTubeUrlDirector.exe
Token: SeManageVolumePrivilege	3580	YouTubeUrlDirector.exe
Token: SeImpersonatePrivilege	3580	YouTubeUrlDirector.exe
Token: SeCreateGlobalPrivilege	3580	YouTubeUrlDirector.exe
Token: 33	3580	YouTubeUrlDirector.exe
Token: 34	3580	YouTubeUrlDirector.exe
Token: 35	3580	YouTubeUrlDirector.exe
Token: 36	3580	YouTubeUrlDirector.exe
Token: SeIncreaseQuotaPrivilege	3420	svchosts.exe
Token: SeSecurityPrivilege	3420	svchosts.exe
Token: SeTakeOwnershipPrivilege	3420	svchosts.exe
Token: SeLoadDriverPrivilege	3420	svchosts.exe
Token: SeSystemProfilePrivilege	3420	svchosts.exe
Token: SeSystemtimePrivilege	3420	svchosts.exe
Token: SeProfSingleProcessPrivilege	3420	svchosts.exe
Token: SeIncBasePriorityPrivilege	3420	svchosts.exe
Token: SeCreatePagefilePrivilege	3420	svchosts.exe
Token: SeBackupPrivilege	3420	svchosts.exe
Token: SeRestorePrivilege	3420	svchosts.exe
Token: SeShutdownPrivilege	3420	svchosts.exe
Token: SeDebugPrivilege	3420	svchosts.exe
Token: SeSystemEnvironmentPrivilege	3420	svchosts.exe
Token: SeChangeNotifyPrivilege	3420	svchosts.exe
Token: SeRemoteShutdownPrivilege	3420	svchosts.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchosts.exeiexplore.exe

pid process

3420 svchosts.exe
1916 iexplore.exe

pid	process
3420	svchosts.exe
1916	iexplore.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exeYouTubeDirector2.exeYouTubeUrlDirector.execmd.execmd.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 4372 wrote to memory of 3500	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeDirector2.exe
PID 4372 wrote to memory of 3500	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeDirector2.exe
PID 4372 wrote to memory of 3500	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeDirector2.exe
PID 4372 wrote to memory of 3580	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeUrlDirector.exe
PID 4372 wrote to memory of 3580	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeUrlDirector.exe
PID 4372 wrote to memory of 3580	4372	ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe	YouTubeUrlDirector.exe
PID 3500 wrote to memory of 3420	3500	YouTubeDirector2.exe	svchosts.exe
PID 3500 wrote to memory of 3420	3500	YouTubeDirector2.exe	svchosts.exe
PID 3500 wrote to memory of 3420	3500	YouTubeDirector2.exe	svchosts.exe
PID 3580 wrote to memory of 4400	3580	YouTubeUrlDirector.exe	cmd.exe
PID 3580 wrote to memory of 4400	3580	YouTubeUrlDirector.exe	cmd.exe
PID 3580 wrote to memory of 4400	3580	YouTubeUrlDirector.exe	cmd.exe
PID 3580 wrote to memory of 1300	3580	YouTubeUrlDirector.exe	cmd.exe
PID 3580 wrote to memory of 1300	3580	YouTubeUrlDirector.exe	cmd.exe
PID 3580 wrote to memory of 1300	3580	YouTubeUrlDirector.exe	cmd.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	attrib.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	attrib.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	attrib.exe
PID 1300 wrote to memory of 4768	1300	cmd.exe	attrib.exe
PID 1300 wrote to memory of 4768	1300	cmd.exe	attrib.exe
PID 1300 wrote to memory of 4768	1300	cmd.exe	attrib.exe
PID 3580 wrote to memory of 2980	3580	YouTubeUrlDirector.exe	svchost.exe
PID 3580 wrote to memory of 2980	3580	YouTubeUrlDirector.exe	svchost.exe
PID 3580 wrote to memory of 2980	3580	YouTubeUrlDirector.exe	svchost.exe
PID 2980 wrote to memory of 1916	2980	svchost.exe	iexplore.exe
PID 2980 wrote to memory of 1916	2980	svchost.exe	iexplore.exe
PID 2980 wrote to memory of 1916	2980	svchost.exe	iexplore.exe
PID 2980 wrote to memory of 1916	2980	svchost.exe	iexplore.exe
PID 2980 wrote to memory of 1916	2980	svchost.exe	iexplore.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe
PID 1916 wrote to memory of 4052	1916	iexplore.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

404 attrib.exe
4768 attrib.exe

pid	process
404	attrib.exe
4768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe
"C:\Users\Admin\AppData\Local\Temp\ed2538ba3fdaff85cbb11894c32ec8e1d46049c89b44f9cb823d383c79df54b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\YouTubeDirector2.exe
"C:\Users\Admin\AppData\Local\Temp\YouTubeDirector2.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Roaming\APP\svchosts.exe
"C:\Users\Admin\AppData\Roaming\APP\svchosts.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Users\Admin\AppData\Local\Temp\YouTubeUrlDirector.exe
"C:\Users\Admin\AppData\Local\Temp\YouTubeUrlDirector.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\YouTubeUrlDirector.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\YouTubeUrlDirector.exe" +s +h
4⤵
- Views/modifies file attributes
PID:404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:4768

C:\Windows\SysWOW64\9epU0FMovytS\svchost.exe
"C:\Windows\system32\9epU0FMovytS\svchost.exe"
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery