ca7d3c87ec54e6defa7e5ad438bc800c56c2fb8366f0de6797ab88b2c374bbff

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	document.htm .exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	document.htm .exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	document.htm .exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\HPWuSchdq.exe = "C:\\Windows\\system32\\HPWuSchdq.exe:*:Enabled:Explorer"	document.htm .exe

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	document.htm .exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	document.htm .exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	hp-358.exe

Executes dropped EXE 7 IoCs

pid	Process
2844	setup.exe
4180	document.htm .exe
3156	document.htm .exe
1380	hp-358.exe
1964	hp-358.exe
2080	lsass.exe
3656	lsass.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1"	document.htm .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HP Software Updater v1.2 = "C:\\Windows\\system32\\HPWuSchdq.exe"	document.htm .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Windows\\SysWOW64\\hp-358.exe"	hp-358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SystemProc\\lsass.exe"	lsass.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	document.htm .exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	document.htm .exe
File opened (read-only)	\??\H:	document.htm .exe
File opened (read-only)	\??\J:	document.htm .exe
File opened (read-only)	\??\N:	document.htm .exe
File opened (read-only)	\??\U:	document.htm .exe
File opened (read-only)	\??\V:	document.htm .exe
File opened (read-only)	\??\X:	document.htm .exe
File opened (read-only)	\??\Q:	document.htm .exe
File opened (read-only)	\??\S:	document.htm .exe
File opened (read-only)	\??\T:	document.htm .exe
File opened (read-only)	\??\W:	document.htm .exe
File opened (read-only)	\??\L:	document.htm .exe
File opened (read-only)	\??\O:	document.htm .exe
File opened (read-only)	\??\P:	document.htm .exe
File opened (read-only)	\??\E:	document.htm .exe
File opened (read-only)	\??\I:	document.htm .exe
File opened (read-only)	\??\K:	document.htm .exe
File opened (read-only)	\??\M:	document.htm .exe
File opened (read-only)	\??\R:	document.htm .exe
File opened (read-only)	\??\Y:	document.htm .exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HPWuSchdq.exe	document.htm .exe
File created	C:\Windows\SysWOW64\HPWuSchdq.exe	document.htm .exe
File created	C:\Windows\SysWOW64\hp-358.exe	document.htm .exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 3156	4180	document.htm .exe	90
PID 1380 set thread context of 1964	1380	hp-358.exe	99
PID 2080 set thread context of 3656	2080	lsass.exe	101

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\program files\limewire\shared\Grand Theft Auto IV (Offline Activation).exe	document.htm .exe
File created	C:\program files\limewire\shared\PDF to Word Converter 3.0.exe	document.htm .exe
File created	C:\program files\tesla\files\Windows 2008 Enterprise Server VMWare Virtual Machine.exe	document.htm .exe
File created	C:\program files\tesla\files\Nero 9 9.2.6.0 keygen.exe	document.htm .exe
File created	C:\program files\winmx\shared\Super Utilities Pro 2009 11.0.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Norton Internet Security 2010 crack.exe	document.htm .exe
File created	C:\program files\emule\incoming\Mp3 Splitter and Joiner Pro v3.48.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Kaspersky AntiVirus 2010 crack.exe	document.htm .exe
File created	C:\program files\winmx\shared\McAfee Total Protection 2010.exe	document.htm .exe
File created	C:\program files\winmx\shared\Ad-aware 2010.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Ashampoo Snap 3.02.exe	document.htm .exe
File created	C:\program files\limewire\shared\Starcraft2 Patch v0.2.exe	document.htm .exe
File created	C:\program files\tesla\files\Norton Internet Security 2010 crack.exe	document.htm .exe
File created	C:\program files\winmx\shared\Myspace theme collection.exe	document.htm .exe
File created	C:\program files\emule\incoming\Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Starcraft2 Patch v0.2.exe	document.htm .exe
File created	C:\program files\winmx\shared\BitDefender AntiVirus 2010 Keygen.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Anti-Porn v13.5.12.29.exe	document.htm .exe
File created	C:\program files\emule\incoming\Absolute Video Converter 6.2.exe	document.htm .exe
File created	C:\program files\emule\incoming\Windows2008 keygen and activator.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Super Utilities Pro 2009 11.0.exe	document.htm .exe
File created	C:\program files\winmx\shared\VmWare keygen.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Super Utilities Pro 2009 11.0.exe	document.htm .exe
File created	C:\program files\emule\incoming\Divx Pro 7 + keymaker.exe	document.htm .exe
File created	C:\program files\icq\shared folder\RapidShare Killer AIO 2010.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\WinRAR v3.x keygen RaZoR.exe	document.htm .exe
File created	C:\program files\emule\incoming\DVD Tools Nero 10.5.6.0.exe	document.htm .exe
File created	C:\program files\tesla\files\PDF-XChange Pro.exe	document.htm .exe
File created	C:\program files\winmx\shared\Power ISO v4.2 + keygen axxo.exe	document.htm .exe
File created	C:\program files\icq\shared folder\Sophos antivirus updater bypass.exe	document.htm .exe
File created	C:\program files\emule\incoming\Motorola, nokia, ericsson mobil phone tools.exe	document.htm .exe
File created	C:\program files\limewire\shared\Motorola, nokia, ericsson mobil phone tools.exe	document.htm .exe
File created	C:\program files\limewire\shared\Power ISO v4.2 + keygen axxo.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Grand Theft Auto IV (Offline Activation).exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Windows 7 Ultimate keygen.exe	document.htm .exe
File created	C:\program files\emule\incoming\BitDefender AntiVirus 2010 Keygen.exe	document.htm .exe
File created	C:\program files\icq\shared folder\Starcraft2 Patch v0.2.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Myspace theme collection.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Power ISO v4.2 + keygen axxo.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Starcraft2 Crack.exe	document.htm .exe
File created	C:\program files\limewire\shared\Adobe Acrobat Reader keygen.exe	document.htm .exe
File created	C:\program files\icq\shared folder\Ashampoo Snap 3.02.exe	document.htm .exe
File created	C:\program files\tesla\files\BitDefender AntiVirus 2010 Keygen.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Ad-aware 2010.exe	document.htm .exe
File created	C:\program files\emule\incoming\Kaspersky Internet Security 2010 keygen.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Daemon Tools Pro 4.11.exe	document.htm .exe
File created	C:\program files\limewire\shared\Total Commander7 license+keygen.exe	document.htm .exe
File created	C:\program files\tesla\files\Alcohol 120 v1.9.7.exe	document.htm .exe
File created	C:\program files\winmx\shared\Starcraft2 Patch v0.2.exe	document.htm .exe
File created	C:\program files\emule\incoming\YouTubeGet 5.4.exe	document.htm .exe
File created	C:\program files\icq\shared folder\Winamp.Pro.v7.33.PowerPack.Portable+installer.exe	document.htm .exe
File created	C:\program files\emule\incoming\VmWare keygen.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Blaze DVD Player Pro v6.52.exe	document.htm .exe
File created	C:\program files\morpheus\my shared folder\Starcraft2 keys.txt.exe	document.htm .exe
File created	C:\program files\limewire\shared\Mp3 Splitter and Joiner Pro v3.48.exe	document.htm .exe
File created	C:\program files\limewire\shared\Myspace theme collection.exe	document.htm .exe
File created	C:\program files\winmx\shared\Alcohol 120 v1.9.7.exe	document.htm .exe
File created	C:\program files\icq\shared folder\Adobe Illustrator CS4 crack.exe	document.htm .exe
File created	C:\program files\limewire\shared\Avast 4.8 Professional.exe	document.htm .exe
File created	C:\program files\tesla\files\PDF password remover (works with all acrobat reader).exe	document.htm .exe
File created	C:\program files\limewire\shared\Anti-Porn v13.5.12.29.exe	document.htm .exe
File created	C:\program files\grokster\my grokster\Winamp.Pro.v7.33.PowerPack.Portable+installer.exe	document.htm .exe
File created	C:\program files\emule\incoming\Avast 4.8 Professional.exe	document.htm .exe
File created	C:\program files\limewire\shared\Image Size Reducer Pro v1.0.1.exe	document.htm .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	document.htm .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hp-358.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hp-358.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	document.htm .exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "R47Y3WPZ5P63K9Q2594EQDJB"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "W5GENA9C2K4CZ02VP8LA5GOV"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "5N8BZ67VZT69EAEVM7T3POQN"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hp-358.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe
3156	document.htm .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	dfsvc.exe
Token: SeDebugPrivilege	3656	lsass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4180	document.htm .exe
1380	hp-358.exe
2080	lsass.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2844	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	83
PID 3404 wrote to memory of 2844	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	83
PID 3404 wrote to memory of 2844	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	83
PID 2844 wrote to memory of 3004	2844	setup.exe	85
PID 2844 wrote to memory of 3004	2844	setup.exe	85
PID 3404 wrote to memory of 4180	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	88
PID 3404 wrote to memory of 4180	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	88
PID 3404 wrote to memory of 4180	3404	de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe	88
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 4180 wrote to memory of 3156	4180	document.htm .exe	90
PID 3156 wrote to memory of 1380	3156	document.htm .exe	96
PID 3156 wrote to memory of 1380	3156	document.htm .exe	96
PID 3156 wrote to memory of 1380	3156	document.htm .exe	96
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1380 wrote to memory of 1964	1380	hp-358.exe	99
PID 1964 wrote to memory of 2080	1964	hp-358.exe	100
PID 1964 wrote to memory of 2080	1964	hp-358.exe	100
PID 1964 wrote to memory of 2080	1964	hp-358.exe	100
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 2080 wrote to memory of 3656	2080	lsass.exe	101
PID 3656 wrote to memory of 3424	3656	lsass.exe	56
PID 3656 wrote to memory of 3424	3656	lsass.exe	56

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	document.htm .exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de53d0db460bf21170e8ec1adc3677f8_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.htm .exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.htm .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.htm .exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.htm .exe"
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3156
    - - C:\Windows\SysWOW64\hp-358.exe
        
        "C:\Windows\system32\hp-358.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\SysWOW64\hp-358.exe
        
        "C:\Windows\SysWOW64\hp-358.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery