darkcomet | 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe

Modifies firewall policy service 2 TTPs 3 IoCs

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1968	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
2040	attrib.exe
784	attrib.exe

Deletes itself 1 IoCs

pid	Process
1992	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1968	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeSecurityPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeTakeOwnershipPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeLoadDriverPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeSystemProfilePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeSystemtimePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeProfSingleProcessPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeIncBasePriorityPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeCreatePagefilePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeBackupPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeRestorePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeShutdownPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeDebugPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeSystemEnvironmentPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeChangeNotifyPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeRemoteShutdownPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeUndockPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeManageVolumePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeImpersonatePrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeCreateGlobalPrivilege	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: 33	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: 34	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: 35	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Token: SeIncreaseQuotaPrivilege	1968	msdcsc.exe
Token: SeSecurityPrivilege	1968	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1968	msdcsc.exe
Token: SeLoadDriverPrivilege	1968	msdcsc.exe
Token: SeSystemProfilePrivilege	1968	msdcsc.exe
Token: SeSystemtimePrivilege	1968	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1968	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1968	msdcsc.exe
Token: SeCreatePagefilePrivilege	1968	msdcsc.exe
Token: SeBackupPrivilege	1968	msdcsc.exe
Token: SeRestorePrivilege	1968	msdcsc.exe
Token: SeShutdownPrivilege	1968	msdcsc.exe
Token: SeDebugPrivilege	1968	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1968	msdcsc.exe
Token: SeChangeNotifyPrivilege	1968	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1968	msdcsc.exe
Token: SeUndockPrivilege	1968	msdcsc.exe
Token: SeManageVolumePrivilege	1968	msdcsc.exe
Token: SeImpersonatePrivilege	1968	msdcsc.exe
Token: SeCreateGlobalPrivilege	1968	msdcsc.exe
Token: 33	1968	msdcsc.exe
Token: 34	1968	msdcsc.exe
Token: 35	1968	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	msdcsc.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1204	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	26
PID 1424 wrote to memory of 1204	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	26
PID 1424 wrote to memory of 1204	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	26
PID 1424 wrote to memory of 1204	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	26
PID 1424 wrote to memory of 1344	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	28
PID 1424 wrote to memory of 1344	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	28
PID 1424 wrote to memory of 1344	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	28
PID 1424 wrote to memory of 1344	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	28
PID 1344 wrote to memory of 784	1344	cmd.exe	32
PID 1204 wrote to memory of 2040	1204	cmd.exe	31
PID 1344 wrote to memory of 784	1344	cmd.exe	32
PID 1344 wrote to memory of 784	1344	cmd.exe	32
PID 1204 wrote to memory of 2040	1204	cmd.exe	31
PID 1204 wrote to memory of 2040	1204	cmd.exe	31
PID 1344 wrote to memory of 784	1344	cmd.exe	32
PID 1204 wrote to memory of 2040	1204	cmd.exe	31
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1992	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	30
PID 1424 wrote to memory of 1968	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	33
PID 1424 wrote to memory of 1968	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	33
PID 1424 wrote to memory of 1968	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	33
PID 1424 wrote to memory of 1968	1424	5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe	33
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34
PID 1968 wrote to memory of 1664	1968	msdcsc.exe	34

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

pid	Process
2040	attrib.exe
784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
"C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:784
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:1992
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies firewall policy service
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry