darkcomet | 81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\WINDS\\system.exe"	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe

Modifies firewall policy service 2 TTPs 6 IoCs

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	system.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1212	system.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
1104	attrib.exe
1452	attrib.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012315-59.dat	upx
behavioral1/files/0x000b000000012315-60.dat	upx
behavioral1/files/0x000b000000012315-62.dat	upx
behavioral1/files/0x000b000000012315-64.dat	upx
behavioral1/memory/1212-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/940-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\WINDS\\system.exe"	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 1332	1212	system.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1332	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeSecurityPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeTakeOwnershipPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeLoadDriverPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeSystemProfilePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeSystemtimePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeProfSingleProcessPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeIncBasePriorityPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeCreatePagefilePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeBackupPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeRestorePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeShutdownPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeDebugPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeSystemEnvironmentPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeChangeNotifyPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeRemoteShutdownPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeUndockPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeManageVolumePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeImpersonatePrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeCreateGlobalPrivilege	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: 33	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: 34	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: 35	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
Token: SeIncreaseQuotaPrivilege	1212	system.exe
Token: SeSecurityPrivilege	1212	system.exe
Token: SeTakeOwnershipPrivilege	1212	system.exe
Token: SeLoadDriverPrivilege	1212	system.exe
Token: SeSystemProfilePrivilege	1212	system.exe
Token: SeSystemtimePrivilege	1212	system.exe
Token: SeProfSingleProcessPrivilege	1212	system.exe
Token: SeIncBasePriorityPrivilege	1212	system.exe
Token: SeCreatePagefilePrivilege	1212	system.exe
Token: SeBackupPrivilege	1212	system.exe
Token: SeRestorePrivilege	1212	system.exe
Token: SeShutdownPrivilege	1212	system.exe
Token: SeDebugPrivilege	1212	system.exe
Token: SeSystemEnvironmentPrivilege	1212	system.exe
Token: SeChangeNotifyPrivilege	1212	system.exe
Token: SeRemoteShutdownPrivilege	1212	system.exe
Token: SeUndockPrivilege	1212	system.exe
Token: SeManageVolumePrivilege	1212	system.exe
Token: SeImpersonatePrivilege	1212	system.exe
Token: SeCreateGlobalPrivilege	1212	system.exe
Token: 33	1212	system.exe
Token: 34	1212	system.exe
Token: 35	1212	system.exe
Token: SeIncreaseQuotaPrivilege	1332	iexplore.exe
Token: SeSecurityPrivilege	1332	iexplore.exe
Token: SeTakeOwnershipPrivilege	1332	iexplore.exe
Token: SeLoadDriverPrivilege	1332	iexplore.exe
Token: SeSystemProfilePrivilege	1332	iexplore.exe
Token: SeSystemtimePrivilege	1332	iexplore.exe
Token: SeProfSingleProcessPrivilege	1332	iexplore.exe
Token: SeIncBasePriorityPrivilege	1332	iexplore.exe
Token: SeCreatePagefilePrivilege	1332	iexplore.exe
Token: SeBackupPrivilege	1332	iexplore.exe
Token: SeRestorePrivilege	1332	iexplore.exe
Token: SeShutdownPrivilege	1332	iexplore.exe
Token: SeDebugPrivilege	1332	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1332	iexplore.exe
Token: SeChangeNotifyPrivilege	1332	iexplore.exe
Token: SeRemoteShutdownPrivilege	1332	iexplore.exe
Token: SeUndockPrivilege	1332	iexplore.exe
Token: SeManageVolumePrivilege	1332	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1332	iexplore.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1232	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	28
PID 940 wrote to memory of 1232	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	28
PID 940 wrote to memory of 1232	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	28
PID 940 wrote to memory of 1232	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	28
PID 940 wrote to memory of 1396	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	29
PID 940 wrote to memory of 1396	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	29
PID 940 wrote to memory of 1396	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	29
PID 940 wrote to memory of 1396	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	29
PID 1232 wrote to memory of 1104	1232	cmd.exe	32
PID 1232 wrote to memory of 1104	1232	cmd.exe	32
PID 1232 wrote to memory of 1104	1232	cmd.exe	32
PID 1232 wrote to memory of 1104	1232	cmd.exe	32
PID 1396 wrote to memory of 1452	1396	cmd.exe	33
PID 1396 wrote to memory of 1452	1396	cmd.exe	33
PID 1396 wrote to memory of 1452	1396	cmd.exe	33
PID 1396 wrote to memory of 1452	1396	cmd.exe	33
PID 940 wrote to memory of 1212	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	34
PID 940 wrote to memory of 1212	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	34
PID 940 wrote to memory of 1212	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	34
PID 940 wrote to memory of 1212	940	81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe	34
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1212 wrote to memory of 1332	1212	system.exe	35
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36
PID 1332 wrote to memory of 440	1332	iexplore.exe	36

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	system.exe

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

pid	Process
1104	attrib.exe
1452	attrib.exe

C:\Users\Admin\AppData\Local\Temp\81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe
"C:\Users\Admin\AppData\Local\Temp\81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\81a955c38b0a5d763002c59054844fcc30d61918259159991a6369ca9199fd56.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1452
- C:\ProgramData\Microsoft\Windows\Start Menu\WINDS\system.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\WINDS\system.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1212
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

Modify Registry