darkcomet | 5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Windupdt\\Windows Image Viewer.exe"	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Windows Image Viewer.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	Windows Image Viewer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Windows Image Viewer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Windows Image Viewer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Image Viewer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windupdt\\Windows Image Viewer.exe"	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Windows Image Viewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Windows Image Viewer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Windows Image Viewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Windows Image Viewer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Windows Image Viewer.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeSecurityPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeTakeOwnershipPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeLoadDriverPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeSystemProfilePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeSystemtimePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeProfSingleProcessPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeIncBasePriorityPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeCreatePagefilePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeBackupPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeRestorePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeShutdownPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeDebugPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeSystemEnvironmentPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeChangeNotifyPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeRemoteShutdownPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeUndockPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeManageVolumePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeImpersonatePrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeCreateGlobalPrivilege	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: 33	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: 34	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: 35	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: 36	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
Token: SeIncreaseQuotaPrivilege	2296	Windows Image Viewer.exe
Token: SeSecurityPrivilege	2296	Windows Image Viewer.exe
Token: SeTakeOwnershipPrivilege	2296	Windows Image Viewer.exe
Token: SeLoadDriverPrivilege	2296	Windows Image Viewer.exe
Token: SeSystemProfilePrivilege	2296	Windows Image Viewer.exe
Token: SeSystemtimePrivilege	2296	Windows Image Viewer.exe
Token: SeProfSingleProcessPrivilege	2296	Windows Image Viewer.exe
Token: SeIncBasePriorityPrivilege	2296	Windows Image Viewer.exe
Token: SeCreatePagefilePrivilege	2296	Windows Image Viewer.exe
Token: SeBackupPrivilege	2296	Windows Image Viewer.exe
Token: SeRestorePrivilege	2296	Windows Image Viewer.exe
Token: SeShutdownPrivilege	2296	Windows Image Viewer.exe
Token: SeDebugPrivilege	2296	Windows Image Viewer.exe
Token: SeSystemEnvironmentPrivilege	2296	Windows Image Viewer.exe
Token: SeChangeNotifyPrivilege	2296	Windows Image Viewer.exe
Token: SeRemoteShutdownPrivilege	2296	Windows Image Viewer.exe
Token: SeUndockPrivilege	2296	Windows Image Viewer.exe
Token: SeManageVolumePrivilege	2296	Windows Image Viewer.exe
Token: SeImpersonatePrivilege	2296	Windows Image Viewer.exe
Token: SeCreateGlobalPrivilege	2296	Windows Image Viewer.exe
Token: 33	2296	Windows Image Viewer.exe
Token: 34	2296	Windows Image Viewer.exe
Token: 35	2296	Windows Image Viewer.exe
Token: 36	2296	Windows Image Viewer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	Windows Image Viewer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2296	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe	79
PID 704 wrote to memory of 2296	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe	79
PID 704 wrote to memory of 2296	704	5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe	79

C:\Users\Admin\AppData\Local\Temp\5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe
"C:\Users\Admin\AppData\Local\Temp\5f1dfda34adabcfc7b2bc44a252549175e50bde499b4d3e4024170df1d59b634.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\Windupdt\Windows Image Viewer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windupdt\Windows Image Viewer.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Windows security modification
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery