darkcomet | 421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\taskhost.exe,explorer.exe"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Modifies firewall policy service 3 TTPs 3 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsStart = "%Temp%\\Microsoft\\taskhost.exe"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Disables RegEdit via registry modification 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Disables Task Manager via registry modification
evasion

Drops startup file 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.lnk	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsStart = "%AppData%\\Microsoft\\taskhost.exe"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Windows\\system32\\Skype/Skype.exe"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2124-20-0x0000000000400000-0x0000000000556000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	pid	process	target process
PID 2124 set thread context of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exenotepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid process

1184 421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid process

2124 421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid	process
1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeSecurityPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeTakeOwnershipPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeLoadDriverPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeSystemProfilePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeSystemtimePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeProfSingleProcessPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeIncBasePriorityPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeCreatePagefilePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeBackupPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeRestorePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeShutdownPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeDebugPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeSystemEnvironmentPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeChangeNotifyPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeRemoteShutdownPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeUndockPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeManageVolumePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeImpersonatePrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: SeCreateGlobalPrivilege	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: 33	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: 34	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Token: 35	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid	process
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid	process
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid process

1184 421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

pid	process
1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	pid	process	target process
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 2124 wrote to memory of 1184	2124	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe
PID 1184 wrote to memory of 2836	1184	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

Modify Registry

Processes:

421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe

C:\Users\Admin\AppData\Local\Temp\421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
"C:\Users\Admin\AppData\Local\Temp\421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe
  "C:\Users\Admin\AppData\Local\Temp\421e48716838b07749b30132827cd63bf478e7f3a59fc5517a5d8df5537689a6N.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1184
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry