masslogger | c6fe57e614145a93c0228f4fa22f26187f0c70bd373e5d4e59a93172ba9520f0

System Information Discovery

Processes:

Order List.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Order List.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Order List.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Order List.exeOrder List.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Order List.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Order List.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 api.ipify.org

flow	ioc
30	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Order List.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Order List.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Order List.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order List.exe

description pid process target process

PID 1496 set thread context of 1880 1496 Order List.exe Order List.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1232 schtasks.exe

description	pid	process	target process
PID 1496 set thread context of 1880	1496	Order List.exe	Order List.exe

pid	process
1232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Order List.exeOrder List.exe

pid	process
1496	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe
1880	Order List.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order List.exeOrder List.exe

description pid process

Token: SeDebugPrivilege 1496 Order List.exe
Token: SeDebugPrivilege 1880 Order List.exe

description	pid	process
Token: SeDebugPrivilege	1496	Order List.exe
Token: SeDebugPrivilege	1880	Order List.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Order List.exe

description	pid	process	target process
PID 1496 wrote to memory of 1232	1496	Order List.exe	schtasks.exe
PID 1496 wrote to memory of 1232	1496	Order List.exe	schtasks.exe
PID 1496 wrote to memory of 1232	1496	Order List.exe	schtasks.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe
PID 1496 wrote to memory of 1880	1496	Order List.exe	Order List.exe

C:\Users\Admin\AppData\Local\Temp\Order List.exe
"C:\Users\Admin\AppData\Local\Temp\Order List.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kkJqtFyYwn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5E9.tmp"
2⤵
- Creates scheduled task(s)
PID:1232

C:\Users\Admin\AppData\Local\Temp\Order List.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

Peripheral Device Discovery