darkcomet | 355005818618c65083bbbe8a72c6d4d47ce880b3ca01cc7aae00b714d83c45e3

System Information Discovery

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exewmpmetwk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmpmetwk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exeaudiodgi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Executes dropped EXE 3 IoCs

Processes:

audiodgi.exewmpmetwk.exewmpmetwk.exe

pid process

4492 audiodgi.exe
4344 wmpmetwk.exe
2400 wmpmetwk.exe

pid	process
4492	audiodgi.exe
4344	wmpmetwk.exe
2400	wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft? Windows? Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exewmpmetwk.exe

description	pid	process	target process
PID 2664 set thread context of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 4344 set thread context of 2400	4344	wmpmetwk.exe	wmpmetwk.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3960-9-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-10-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-11-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-12-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-13-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-18-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-16-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral2/memory/3960-17-0x0000000013140000-0x00000000131FB000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exenotepad.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exewmpmetwk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmpmetwk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmpmetwk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmpmetwk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wmpmetwk.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exewmpmetwk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmpmetwk.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exeaudiodgi.exewmpmetwk.exe

pid	process
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
4492	audiodgi.exe
4344	wmpmetwk.exe
2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

description	pid	process
Token: SeDebugPrivilege	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeSecurityPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeBackupPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeRestorePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeShutdownPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeDebugPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeUndockPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: 33	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: 34	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: 35	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: 36	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	audiodgi.exe
Token: SeDebugPrivilege	4344	wmpmetwk.exe
Token: SeIncreaseQuotaPrivilege	2400	wmpmetwk.exe
Token: SeSecurityPrivilege	2400	wmpmetwk.exe
Token: SeTakeOwnershipPrivilege	2400	wmpmetwk.exe
Token: SeLoadDriverPrivilege	2400	wmpmetwk.exe
Token: SeSystemProfilePrivilege	2400	wmpmetwk.exe
Token: SeSystemtimePrivilege	2400	wmpmetwk.exe
Token: SeProfSingleProcessPrivilege	2400	wmpmetwk.exe
Token: SeIncBasePriorityPrivilege	2400	wmpmetwk.exe
Token: SeCreatePagefilePrivilege	2400	wmpmetwk.exe
Token: SeBackupPrivilege	2400	wmpmetwk.exe
Token: SeRestorePrivilege	2400	wmpmetwk.exe
Token: SeShutdownPrivilege	2400	wmpmetwk.exe
Token: SeDebugPrivilege	2400	wmpmetwk.exe
Token: SeSystemEnvironmentPrivilege	2400	wmpmetwk.exe
Token: SeChangeNotifyPrivilege	2400	wmpmetwk.exe
Token: SeRemoteShutdownPrivilege	2400	wmpmetwk.exe
Token: SeUndockPrivilege	2400	wmpmetwk.exe
Token: SeManageVolumePrivilege	2400	wmpmetwk.exe
Token: SeImpersonatePrivilege	2400	wmpmetwk.exe
Token: SeCreateGlobalPrivilege	2400	wmpmetwk.exe
Token: 33	2400	wmpmetwk.exe
Token: 34	2400	wmpmetwk.exe
Token: 35	2400	wmpmetwk.exe
Token: 36	2400	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

pid process

3960 8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

pid	process
3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exeaudiodgi.exewmpmetwk.exe

description	pid	process	target process
PID 2664 wrote to memory of 4028	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 4028	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 4028	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 2664 wrote to memory of 3960	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 3960 wrote to memory of 4692	3960	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	notepad.exe
PID 2664 wrote to memory of 4492	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	audiodgi.exe
PID 2664 wrote to memory of 4492	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	audiodgi.exe
PID 2664 wrote to memory of 4492	2664	8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe	audiodgi.exe
PID 4492 wrote to memory of 4344	4492	audiodgi.exe	wmpmetwk.exe
PID 4492 wrote to memory of 4344	4492	audiodgi.exe	wmpmetwk.exe
PID 4492 wrote to memory of 4344	4492	audiodgi.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe
PID 4344 wrote to memory of 2400	4344	wmpmetwk.exe	wmpmetwk.exe

C:\Users\Admin\AppData\Local\Temp\8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4028
- C:\Users\Admin\AppData\Local\Temp\8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
  8d8c928d447e8a694c79328d7e122ff9_JaffaCakes118.exe
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
      wmpmetwk.exe
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

4

System Information Discovery

5

System Location Discovery

T1614

System Language Discovery