darkcomet | 2eb3ac2d64ce7ccf86f15f751093f6a3d2b9b83d637acba8d95c45ea47cc97dc

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\drivers\\wathehell.exe"	Test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\drivers\\wathehell.exe,C:\\Windows\\system32\\drivers\\wathehell.exe"	wathehell.exe

Modifies firewall policy service 3 TTPs 3 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	AccSteal.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	AccSteal.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	AccSteal.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	AccSteal.exe

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	AccSteal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	AccSteal.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	AccSteal.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AccSteal.exe
File created	C:\Windows\SysWOW64\drivers\wathehell.exe	Test.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wathehell.exe	Test.exe
File opened for modification	C:\Windows\SysWOW64\drivers\	Test.exe
File created	C:\Windows\SysWOW64\drivers\wathehell.exe	wathehell.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wathehell.exe	wathehell.exe
File opened for modification	C:\Windows\SysWOW64\drivers\	wathehell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
2816	attrib.exe
2788	attrib.exe

Executes dropped EXE 8 IoCs

pid	Process
2004	PvpLogger.exe
1792	AccSteal.exe
2704	Minecraft cracked.exe
2740	Test.exe
2732	Minecraft Beta Cracked.exe
2156	Neptune.exe
2948	wathehell.exe
1660	iexplorer.exe

Loads dropped DLL 7 IoCs

pid	Process
2740	Test.exe
2740	Test.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	AccSteal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	AccSteal.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\drivers\\wathehell.exe"	Test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\drivers\\wathehell.exe"	wathehell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\iexplorer.exe"	iexplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2100	2948	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PvpLogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AccSteal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wathehell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1792	AccSteal.exe
Token: SeSecurityPrivilege	1792	AccSteal.exe
Token: SeTakeOwnershipPrivilege	1792	AccSteal.exe
Token: SeLoadDriverPrivilege	1792	AccSteal.exe
Token: SeSystemProfilePrivilege	1792	AccSteal.exe
Token: SeSystemtimePrivilege	1792	AccSteal.exe
Token: SeProfSingleProcessPrivilege	1792	AccSteal.exe
Token: SeIncBasePriorityPrivilege	1792	AccSteal.exe
Token: SeCreatePagefilePrivilege	1792	AccSteal.exe
Token: SeBackupPrivilege	1792	AccSteal.exe
Token: SeRestorePrivilege	1792	AccSteal.exe
Token: SeShutdownPrivilege	1792	AccSteal.exe
Token: SeDebugPrivilege	1792	AccSteal.exe
Token: SeSystemEnvironmentPrivilege	1792	AccSteal.exe
Token: SeChangeNotifyPrivilege	1792	AccSteal.exe
Token: SeRemoteShutdownPrivilege	1792	AccSteal.exe
Token: SeUndockPrivilege	1792	AccSteal.exe
Token: SeManageVolumePrivilege	1792	AccSteal.exe
Token: SeImpersonatePrivilege	1792	AccSteal.exe
Token: SeCreateGlobalPrivilege	1792	AccSteal.exe
Token: 33	1792	AccSteal.exe
Token: 34	1792	AccSteal.exe
Token: 35	1792	AccSteal.exe
Token: SeIncreaseQuotaPrivilege	2740	Test.exe
Token: SeSecurityPrivilege	2740	Test.exe
Token: SeTakeOwnershipPrivilege	2740	Test.exe
Token: SeLoadDriverPrivilege	2740	Test.exe
Token: SeSystemProfilePrivilege	2740	Test.exe
Token: SeSystemtimePrivilege	2740	Test.exe
Token: SeProfSingleProcessPrivilege	2740	Test.exe
Token: SeIncBasePriorityPrivilege	2740	Test.exe
Token: SeCreatePagefilePrivilege	2740	Test.exe
Token: SeBackupPrivilege	2740	Test.exe
Token: SeRestorePrivilege	2740	Test.exe
Token: SeShutdownPrivilege	2740	Test.exe
Token: SeDebugPrivilege	2740	Test.exe
Token: SeSystemEnvironmentPrivilege	2740	Test.exe
Token: SeChangeNotifyPrivilege	2740	Test.exe
Token: SeRemoteShutdownPrivilege	2740	Test.exe
Token: SeUndockPrivilege	2740	Test.exe
Token: SeManageVolumePrivilege	2740	Test.exe
Token: SeImpersonatePrivilege	2740	Test.exe
Token: SeCreateGlobalPrivilege	2740	Test.exe
Token: 33	2740	Test.exe
Token: 34	2740	Test.exe
Token: 35	2740	Test.exe
Token: SeIncreaseQuotaPrivilege	2948	wathehell.exe
Token: SeSecurityPrivilege	2948	wathehell.exe
Token: SeTakeOwnershipPrivilege	2948	wathehell.exe
Token: SeLoadDriverPrivilege	2948	wathehell.exe
Token: SeSystemProfilePrivilege	2948	wathehell.exe
Token: SeSystemtimePrivilege	2948	wathehell.exe
Token: SeProfSingleProcessPrivilege	2948	wathehell.exe
Token: SeIncBasePriorityPrivilege	2948	wathehell.exe
Token: SeCreatePagefilePrivilege	2948	wathehell.exe
Token: SeBackupPrivilege	2948	wathehell.exe
Token: SeRestorePrivilege	2948	wathehell.exe
Token: SeShutdownPrivilege	2948	wathehell.exe
Token: SeDebugPrivilege	2948	wathehell.exe
Token: SeSystemEnvironmentPrivilege	2948	wathehell.exe
Token: SeChangeNotifyPrivilege	2948	wathehell.exe
Token: SeRemoteShutdownPrivilege	2948	wathehell.exe
Token: SeUndockPrivilege	2948	wathehell.exe
Token: SeManageVolumePrivilege	2948	wathehell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	iexplorer.exe
1792	AccSteal.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2004	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	30
PID 768 wrote to memory of 2004	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	30
PID 768 wrote to memory of 2004	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	30
PID 768 wrote to memory of 2004	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	30
PID 768 wrote to memory of 1792	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	31
PID 768 wrote to memory of 1792	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	31
PID 768 wrote to memory of 1792	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	31
PID 768 wrote to memory of 1792	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	31
PID 768 wrote to memory of 2704	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	32
PID 768 wrote to memory of 2704	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	32
PID 768 wrote to memory of 2704	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	32
PID 768 wrote to memory of 2740	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	33
PID 768 wrote to memory of 2740	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	33
PID 768 wrote to memory of 2740	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	33
PID 768 wrote to memory of 2740	768	JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe	33
PID 2740 wrote to memory of 2892	2740	Test.exe	34
PID 2740 wrote to memory of 2892	2740	Test.exe	34
PID 2740 wrote to memory of 2892	2740	Test.exe	34
PID 2740 wrote to memory of 2892	2740	Test.exe	34
PID 2740 wrote to memory of 2688	2740	Test.exe	35
PID 2740 wrote to memory of 2688	2740	Test.exe	35
PID 2740 wrote to memory of 2688	2740	Test.exe	35
PID 2740 wrote to memory of 2688	2740	Test.exe	35
PID 2704 wrote to memory of 2732	2704	Minecraft cracked.exe	36
PID 2704 wrote to memory of 2732	2704	Minecraft cracked.exe	36
PID 2704 wrote to memory of 2732	2704	Minecraft cracked.exe	36
PID 2704 wrote to memory of 2156	2704	Minecraft cracked.exe	39
PID 2704 wrote to memory of 2156	2704	Minecraft cracked.exe	39
PID 2704 wrote to memory of 2156	2704	Minecraft cracked.exe	39
PID 2892 wrote to memory of 2788	2892	cmd.exe	40
PID 2892 wrote to memory of 2788	2892	cmd.exe	40
PID 2892 wrote to memory of 2788	2892	cmd.exe	40
PID 2892 wrote to memory of 2788	2892	cmd.exe	40
PID 2688 wrote to memory of 2816	2688	cmd.exe	41
PID 2688 wrote to memory of 2816	2688	cmd.exe	41
PID 2688 wrote to memory of 2816	2688	cmd.exe	41
PID 2688 wrote to memory of 2816	2688	cmd.exe	41
PID 2740 wrote to memory of 2948	2740	Test.exe	42
PID 2740 wrote to memory of 2948	2740	Test.exe	42
PID 2740 wrote to memory of 2948	2740	Test.exe	42
PID 2740 wrote to memory of 2948	2740	Test.exe	42
PID 2156 wrote to memory of 1660	2156	Neptune.exe	43
PID 2156 wrote to memory of 1660	2156	Neptune.exe	43
PID 2156 wrote to memory of 1660	2156	Neptune.exe	43
PID 2948 wrote to memory of 2140	2948	wathehell.exe	44
PID 2948 wrote to memory of 2140	2948	wathehell.exe	44
PID 2948 wrote to memory of 2140	2948	wathehell.exe	44
PID 2948 wrote to memory of 2140	2948	wathehell.exe	44
PID 2948 wrote to memory of 2100	2948	wathehell.exe	46
PID 2948 wrote to memory of 2100	2948	wathehell.exe	46
PID 2948 wrote to memory of 2100	2948	wathehell.exe	46
PID 2948 wrote to memory of 2100	2948	wathehell.exe	46

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	AccSteal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	AccSteal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	AccSteal.exe

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2788	attrib.exe
2816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\PvpLogger.exe
  "C:\Users\Admin\AppData\Local\Temp\PvpLogger.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\AccSteal.exe
  "C:\Users\Admin\AppData\Local\Temp\AccSteal.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\Minecraft cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft cracked.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\Minecraft Beta Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Minecraft Beta Cracked.exe"
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Neptune.exe
    "C:\Users\Admin\AppData\Local\Temp\Neptune.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\iexplorer.exe
      "C:\Users\Admin\AppData\Roaming\iexplorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1660
- C:\Users\Admin\AppData\Local\Temp\Test.exe
  "C:\Users\Admin\AppData\Local\Temp\Test.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2816
- - C:\Windows\SysWOW64\drivers\wathehell.exe
    "C:\Windows\system32\drivers\wathehell.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 568
      4⤵
      Loads dropped DLL
      Program crash
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry