darkcomet | 04789bb1e63b81997e53786d1f19a6dde477b29b54ad5bcb12aeb9bce3d0f72b

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	screen.exe

Modifies firewall policy service 2 TTPs 3 IoCs

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
544	attrib.exe
520	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
960	screen.exe
960	screen.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	screen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	960	screen.exe
Token: SeSecurityPrivilege	960	screen.exe
Token: SeTakeOwnershipPrivilege	960	screen.exe
Token: SeLoadDriverPrivilege	960	screen.exe
Token: SeSystemProfilePrivilege	960	screen.exe
Token: SeSystemtimePrivilege	960	screen.exe
Token: SeProfSingleProcessPrivilege	960	screen.exe
Token: SeIncBasePriorityPrivilege	960	screen.exe
Token: SeCreatePagefilePrivilege	960	screen.exe
Token: SeBackupPrivilege	960	screen.exe
Token: SeRestorePrivilege	960	screen.exe
Token: SeShutdownPrivilege	960	screen.exe
Token: SeDebugPrivilege	960	screen.exe
Token: SeSystemEnvironmentPrivilege	960	screen.exe
Token: SeChangeNotifyPrivilege	960	screen.exe
Token: SeRemoteShutdownPrivilege	960	screen.exe
Token: SeUndockPrivilege	960	screen.exe
Token: SeManageVolumePrivilege	960	screen.exe
Token: SeImpersonatePrivilege	960	screen.exe
Token: SeCreateGlobalPrivilege	960	screen.exe
Token: 33	960	screen.exe
Token: 34	960	screen.exe
Token: 35	960	screen.exe
Token: SeIncreaseQuotaPrivilege	1500	msdcsc.exe
Token: SeSecurityPrivilege	1500	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1500	msdcsc.exe
Token: SeLoadDriverPrivilege	1500	msdcsc.exe
Token: SeSystemProfilePrivilege	1500	msdcsc.exe
Token: SeSystemtimePrivilege	1500	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1500	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1500	msdcsc.exe
Token: SeCreatePagefilePrivilege	1500	msdcsc.exe
Token: SeBackupPrivilege	1500	msdcsc.exe
Token: SeRestorePrivilege	1500	msdcsc.exe
Token: SeShutdownPrivilege	1500	msdcsc.exe
Token: SeDebugPrivilege	1500	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1500	msdcsc.exe
Token: SeChangeNotifyPrivilege	1500	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1500	msdcsc.exe
Token: SeUndockPrivilege	1500	msdcsc.exe
Token: SeManageVolumePrivilege	1500	msdcsc.exe
Token: SeImpersonatePrivilege	1500	msdcsc.exe
Token: SeCreateGlobalPrivilege	1500	msdcsc.exe
Token: 33	1500	msdcsc.exe
Token: 34	1500	msdcsc.exe
Token: 35	1500	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1500	msdcsc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1868	960	screen.exe	27
PID 960 wrote to memory of 1868	960	screen.exe	27
PID 960 wrote to memory of 1868	960	screen.exe	27
PID 960 wrote to memory of 1868	960	screen.exe	27
PID 960 wrote to memory of 1760	960	screen.exe	28
PID 960 wrote to memory of 1760	960	screen.exe	28
PID 960 wrote to memory of 1760	960	screen.exe	28
PID 960 wrote to memory of 1760	960	screen.exe	28
PID 1760 wrote to memory of 544	1760	cmd.exe	31
PID 1760 wrote to memory of 544	1760	cmd.exe	31
PID 1760 wrote to memory of 544	1760	cmd.exe	31
PID 1760 wrote to memory of 544	1760	cmd.exe	31
PID 1868 wrote to memory of 520	1868	cmd.exe	32
PID 1868 wrote to memory of 520	1868	cmd.exe	32
PID 1868 wrote to memory of 520	1868	cmd.exe	32
PID 1868 wrote to memory of 520	1868	cmd.exe	32
PID 960 wrote to memory of 1500	960	screen.exe	33
PID 960 wrote to memory of 1500	960	screen.exe	33
PID 960 wrote to memory of 1500	960	screen.exe	33
PID 960 wrote to memory of 1500	960	screen.exe	33
PID 1500 wrote to memory of 1788	1500	msdcsc.exe	34
PID 1500 wrote to memory of 1788	1500	msdcsc.exe	34
PID 1500 wrote to memory of 1788	1500	msdcsc.exe	34
PID 1500 wrote to memory of 1788	1500	msdcsc.exe	34
PID 1500 wrote to memory of 1148	1500	msdcsc.exe	35
PID 1500 wrote to memory of 1148	1500	msdcsc.exe	35
PID 1500 wrote to memory of 1148	1500	msdcsc.exe	35
PID 1500 wrote to memory of 1148	1500	msdcsc.exe	35
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36
PID 1500 wrote to memory of 1836	1500	msdcsc.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

pid	Process
544	attrib.exe
520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\screen.exe
"C:\Users\Admin\AppData\Local\Temp\screen.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\screen.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\screen.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:544
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1788
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

Modify Registry