masslogger | 72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	order9321t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	order9321t.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation	order9321t.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	order9321t.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	order9321t.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 4024	3488	order9321t.exe	79

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3712	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bbbb7725127dd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4024	order9321t.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	svchost.exe
Token: SeCreatePagefilePrivilege	636	svchost.exe
Token: SeDebugPrivilege	3488	order9321t.exe
Token: SeDebugPrivilege	4024	order9321t.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4024	order9321t.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3712	3488	order9321t.exe	76
PID 3488 wrote to memory of 3712	3488	order9321t.exe	76
PID 3488 wrote to memory of 3712	3488	order9321t.exe	76
PID 3488 wrote to memory of 3932	3488	order9321t.exe	78
PID 3488 wrote to memory of 3932	3488	order9321t.exe	78
PID 3488 wrote to memory of 3932	3488	order9321t.exe	78
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79
PID 3488 wrote to memory of 4024	3488	order9321t.exe	79

C:\Users\Admin\AppData\Local\Temp\order9321t.exe
"C:\Users\Admin\AppData\Local\Temp\order9321t.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YdvIruZxoLuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7DCC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System