darkcomet | ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Adobe\\services.exe"	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	services.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	services.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	services.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	services.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

services.exeservices.exeservices.exe

pid process

784 services.exe
764 services.exe
2044 services.exe

pid	process
784	services.exe
764	services.exe
2044	services.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	services.exe

Loads dropped DLL 2 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

pid	process
2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	services.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Adobe\\services.exe"	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
File opened for modification	\??\PhysicalDrive0	services.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exe

description	pid	process	target process
PID 1412 set thread context of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 set thread context of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 784 set thread context of 764	784	services.exe	services.exe
PID 764 set thread context of 2044	764	services.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	services.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

2044 services.exe

pid	process
2044	services.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSecurityPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeTakeOwnershipPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeLoadDriverPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemProfilePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemtimePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeProfSingleProcessPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeIncBasePriorityPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeCreatePagefilePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeBackupPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeRestorePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeShutdownPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeDebugPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemEnvironmentPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeChangeNotifyPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeRemoteShutdownPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeUndockPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeManageVolumePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeImpersonatePrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeCreateGlobalPrivilege	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 33	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 34	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 35	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeIncreaseQuotaPrivilege	2044	services.exe
Token: SeSecurityPrivilege	2044	services.exe
Token: SeTakeOwnershipPrivilege	2044	services.exe
Token: SeLoadDriverPrivilege	2044	services.exe
Token: SeSystemProfilePrivilege	2044	services.exe
Token: SeSystemtimePrivilege	2044	services.exe
Token: SeProfSingleProcessPrivilege	2044	services.exe
Token: SeIncBasePriorityPrivilege	2044	services.exe
Token: SeCreatePagefilePrivilege	2044	services.exe
Token: SeBackupPrivilege	2044	services.exe
Token: SeRestorePrivilege	2044	services.exe
Token: SeShutdownPrivilege	2044	services.exe
Token: SeDebugPrivilege	2044	services.exe
Token: SeSystemEnvironmentPrivilege	2044	services.exe
Token: SeChangeNotifyPrivilege	2044	services.exe
Token: SeRemoteShutdownPrivilege	2044	services.exe
Token: SeUndockPrivilege	2044	services.exe
Token: SeManageVolumePrivilege	2044	services.exe
Token: SeImpersonatePrivilege	2044	services.exe
Token: SeCreateGlobalPrivilege	2044	services.exe
Token: 33	2044	services.exe
Token: 34	2044	services.exe
Token: 35	2044	services.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exeservices.exe

pid	process
1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
784	services.exe
764	services.exe
2044	services.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exe

description	pid	process	target process
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1412 wrote to memory of 1788	1412	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1788 wrote to memory of 2036	1788	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2036 wrote to memory of 784	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 2036 wrote to memory of 784	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 2036 wrote to memory of 784	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 2036 wrote to memory of 784	2036	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 784 wrote to memory of 764	784	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe
PID 764 wrote to memory of 2044	764	services.exe	services.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	services.exe

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Adobe\services.exe
"C:\Adobe\services.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Adobe\services.exe
"C:\Adobe\services.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Adobe\services.exe
"C:\Adobe\services.exe"
6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

7

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

3

System Information Discovery

4