1816a9023320b892c54fc1abdc4ba3177ae9ecee4f145efa71d290b357eb1061

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
792	MSBuild.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 792	2484	powershell.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4764	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2644	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2644	EXCEL.EXE
2644	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE
2644	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4764	3192	WScript.exe	92
PID 3192 wrote to memory of 4764	3192	WScript.exe	92
PID 1536 wrote to memory of 2484	1536	WScript.exe	105
PID 1536 wrote to memory of 2484	1536	WScript.exe	105
PID 1536 wrote to memory of 5020	1536	WScript.exe	114
PID 1536 wrote to memory of 5020	1536	WScript.exe	114
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117
PID 2484 wrote to memory of 792	2484	powershell.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn 7rwmxwqnly /tr C:\Users\Admin\AppData\Roaming\zf8sw.vbs
  2⤵
  - Creates scheduled task(s)
  PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1980

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\zf8sw.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Roaming\MSBuild.exe
    "C:\Users\Admin\AppData\Roaming\MSBuild.exe"
    3⤵
    - Executes dropped EXE
    PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExitWatch.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

Persistence

Scheduled Task/Job

1

Privilege Escalation

Scheduled Task/Job

1

Defense Evasion

Credential Access

Discovery

Query Registry

4

System Information Discovery

4