0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
Size

388KB
MD5

678e01aacc99779c502e9473876548e0
SHA1

cd9e404b37a2029e88f904b98f966b7e1284ff70
SHA256

0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41
SHA512

9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4
SSDEEP

6144:fda8uOhcMWhqVln4xKDW9KobFEFLOSO6/NvsHJxc00d+DzRLITiNs:Va8ivhqVl+KC9LpEQSO62DzRLm

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HELP_RESTORE_FILES.txt

Ransom Note

All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 13cDQ5mkTSBazoP4mGFU4SSzZN3LEusayg Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 13cDQ5mkTSBazoP4mGFU4SSzZN3LEusayg Follow the instructions on the server.

Wallets

13cDQ5mkTSBazoP4mGFU4SSzZN3LEusayg

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1428	xpmomqr.exe
2804	xpmomqr.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\FormatPing.png => C:\Users\Admin\Pictures\FormatPing.png.ecc	xpmomqr.exe
File renamed	C:\Users\Admin\Pictures\NewEnter.png => C:\Users\Admin\Pictures\NewEnter.png.ecc	xpmomqr.exe
File renamed	C:\Users\Admin\Pictures\ProtectExport.raw => C:\Users\Admin\Pictures\ProtectExport.raw.ecc	xpmomqr.exe
File renamed	C:\Users\Admin\Pictures\ResolveStop.raw => C:\Users\Admin\Pictures\ResolveStop.raw.ecc	xpmomqr.exe
File renamed	C:\Users\Admin\Pictures\UpdateUnblock.raw => C:\Users\Admin\Pictures\UpdateUnblock.raw.ecc	xpmomqr.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromSuspend.raw => C:\Users\Admin\Pictures\ConvertFromSuspend.raw.ecc	xpmomqr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	xpmomqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	xpmomqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msdedf = "C:\\Users\\Admin\\AppData\\Roaming\\xpmomqr.exe"	xpmomqr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xpmomqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msdedf = "C:\\Users\\Admin\\AppData\\Roaming\\xpmomqr.exe"	xpmomqr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HeLP_ReSTORe_FILeS.bmp"	xpmomqr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 1428 set thread context of 2804	1428	xpmomqr.exe	85

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-100.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-16_contrast-black.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-300.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-125.HCWhite.png	xpmomqr.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\STARTUP\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-unplated.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png	xpmomqr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-125_contrast-white.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-16.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-125.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-400.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-400.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_half.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-black.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-unplated.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\webviewCore.min.js	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreRating\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-white.png	xpmomqr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100_contrast-black.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLookingUp.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-400.png	xpmomqr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\HELP_RESTORE_FILES.txt	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	xpmomqr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HELP_RESTORE_FILES.txt	xpmomqr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
228	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "0"	xpmomqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\TileWallpaper = "0"	xpmomqr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe
2804	xpmomqr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
Token: SeDebugPrivilege	2804	xpmomqr.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 992 wrote to memory of 4788	992	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	83
PID 4788 wrote to memory of 1428	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	84
PID 4788 wrote to memory of 1428	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	84
PID 4788 wrote to memory of 1428	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	84
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 1428 wrote to memory of 2804	1428	xpmomqr.exe	85
PID 4788 wrote to memory of 3172	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	86
PID 4788 wrote to memory of 3172	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	86
PID 4788 wrote to memory of 3172	4788	0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe	86
PID 2804 wrote to memory of 228	2804	xpmomqr.exe	88
PID 2804 wrote to memory of 228	2804	xpmomqr.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xpmomqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xpmomqr.exe

C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
"C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
  C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Roaming\xpmomqr.exe
    C:\Users\Admin\AppData\Roaming\xpmomqr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Roaming\xpmomqr.exe
      C:\Users\Admin\AppData\Roaming\xpmomqr.exe
      4⤵
      Executes dropped EXE
      Modifies extensions of user files
      Checks computer location settings
      Adds Run key to start application
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2804
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0A1688~1.EXE >> NUL
    3⤵
    PID:3172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xpmomqr.exe

Filesize
388KB

MD5
678e01aacc99779c502e9473876548e0

SHA1
cd9e404b37a2029e88f904b98f966b7e1284ff70

SHA256
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

SHA512
9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

Download Submit
C:\Users\Admin\AppData\Roaming\xpmomqr.exe

Filesize
388KB

MD5
678e01aacc99779c502e9473876548e0

SHA1
cd9e404b37a2029e88f904b98f966b7e1284ff70

SHA256
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

SHA512
9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

Download Submit
C:\Users\Admin\AppData\Roaming\xpmomqr.exe

Filesize
388KB

MD5
678e01aacc99779c502e9473876548e0

SHA1
cd9e404b37a2029e88f904b98f966b7e1284ff70

SHA256
0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

SHA512
9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

Download Submit
memory/2804-143-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2804-149-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2804-147-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2804-144-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4788-136-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4788-146-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4788-135-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4788-134-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4788-133-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download