darkcomet | ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Adobe\\services.exe"	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	services.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	services.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	services.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

services.exeservices.exeservices.exe

pid process

2388 services.exe
1448 services.exe
4724 services.exe

pid	process
2388	services.exe
1448	services.exe
4724	services.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	services.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	services.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Adobe\\services.exe"	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
File opened for modification	\??\PhysicalDrive0	services.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exe

description	pid	process	target process
PID 4488 set thread context of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 set thread context of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2388 set thread context of 1448	2388	services.exe	services.exe
PID 1448 set thread context of 4724	1448	services.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	services.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

4724 services.exe

pid	process
4724	services.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSecurityPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeTakeOwnershipPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeLoadDriverPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemProfilePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemtimePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeProfSingleProcessPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeIncBasePriorityPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeCreatePagefilePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeBackupPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeRestorePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeShutdownPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeDebugPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeSystemEnvironmentPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeChangeNotifyPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeRemoteShutdownPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeUndockPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeManageVolumePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeImpersonatePrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeCreateGlobalPrivilege	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 33	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 34	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 35	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: 36	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
Token: SeIncreaseQuotaPrivilege	4724	services.exe
Token: SeSecurityPrivilege	4724	services.exe
Token: SeTakeOwnershipPrivilege	4724	services.exe
Token: SeLoadDriverPrivilege	4724	services.exe
Token: SeSystemProfilePrivilege	4724	services.exe
Token: SeSystemtimePrivilege	4724	services.exe
Token: SeProfSingleProcessPrivilege	4724	services.exe
Token: SeIncBasePriorityPrivilege	4724	services.exe
Token: SeCreatePagefilePrivilege	4724	services.exe
Token: SeBackupPrivilege	4724	services.exe
Token: SeRestorePrivilege	4724	services.exe
Token: SeShutdownPrivilege	4724	services.exe
Token: SeDebugPrivilege	4724	services.exe
Token: SeSystemEnvironmentPrivilege	4724	services.exe
Token: SeChangeNotifyPrivilege	4724	services.exe
Token: SeRemoteShutdownPrivilege	4724	services.exe
Token: SeUndockPrivilege	4724	services.exe
Token: SeManageVolumePrivilege	4724	services.exe
Token: SeImpersonatePrivilege	4724	services.exe
Token: SeCreateGlobalPrivilege	4724	services.exe
Token: 33	4724	services.exe
Token: 34	4724	services.exe
Token: 35	4724	services.exe
Token: 36	4724	services.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exeservices.exe

pid	process
4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
2388	services.exe
1448	services.exe
4724	services.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exeservices.exeservices.exe

description	pid	process	target process
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 4488 wrote to memory of 2340	4488	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 2340 wrote to memory of 1400	2340	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
PID 1400 wrote to memory of 2388	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 1400 wrote to memory of 2388	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 1400 wrote to memory of 2388	1400	ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 2388 wrote to memory of 1448	2388	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe
PID 1448 wrote to memory of 4724	1448	services.exe	services.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	services.exe

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f6dc6897eac22d2d4afd7fba057a4afa347f3a63745eb08aa475148541c70.exe"
3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Adobe\services.exe
"C:\Adobe\services.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388

C:\Adobe\services.exe
"C:\Adobe\services.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Adobe\services.exe
"C:\Adobe\services.exe"
6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

7

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

4

System Information Discovery

5