Analysis
-
max time kernel
69s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
mtx777.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
mtx777.exe
Resource
win10v2004-20240226-en
General
-
Target
mtx777.exe
-
Size
281KB
-
MD5
2809e15a3a54484e042fe65fffd17409
-
SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223
-
SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
-
SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3
-
SSDEEP
3072:D5IwIMZKkczttW5ivhjqKO1I9Goh6F4mAqeormMkpCWlunhNGA5yjszVIEe9:NIMsztZZ+KQqGo5QfmLpCoun6W
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 4428 bcdedit.exe 860 bcdedit.exe 5128 bcdedit.exe 5280 bcdedit.exe -
Renames multiple (495) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 4480 wbadmin.exe 1460 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2892 netsh.exe 1168 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mtx777.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation mtx777.exe -
Drops startup file 3 IoCs
Processes:
mtx777.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mtx777.exe mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini mtx777.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[85922ACE-3483].[[email protected]].8base mtx777.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mtx777.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" mtx777.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" mtx777.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
mtx777.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini mtx777.exe File opened for modification C:\Users\Public\Desktop\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini mtx777.exe File opened for modification C:\Users\Public\Music\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini mtx777.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini mtx777.exe File opened for modification C:\Users\Public\Videos\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini mtx777.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini mtx777.exe File opened for modification C:\Users\Public\Libraries\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini mtx777.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini mtx777.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini mtx777.exe File opened for modification C:\Program Files (x86)\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Documents\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini mtx777.exe File opened for modification C:\Users\Public\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini mtx777.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini mtx777.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini mtx777.exe File opened for modification C:\Program Files\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini mtx777.exe File opened for modification C:\Users\Public\Documents\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Music\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Searches\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Links\desktop.ini mtx777.exe File opened for modification C:\Users\Admin\Videos\desktop.ini mtx777.exe -
Drops file in Program Files directory 64 IoCs
Processes:
mtx777.exedescription ioc process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Specialized.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmMDL2.ttf mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_24.svg.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg mtx777.exe File created C:\Program Files\Java\jre-1.8\lib\net.properties.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml mtx777.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png mtx777.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_fi.json mtx777.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1 mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4 mtx777.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Console.dll mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxManifest.xml mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png mtx777.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-125.png mtx777.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg mtx777.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\PSGet.Resource.psd1 mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx mtx777.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_te.dll mtx777.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\PresentationFramework.resources.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v11.1.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-200_contrast-black.png mtx777.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc mtx777.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1 mtx777.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll mtx777.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-200.png mtx777.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Input.Manipulations.resources.dll.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.id[85922ACE-3483].[[email protected]].8base mtx777.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ImagePipelineNative.dll mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png mtx777.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms mtx777.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png mtx777.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf mtx777.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe mtx777.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll mtx777.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.id[85922ACE-3483].[[email protected]].8base mtx777.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe mtx777.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mt.pak.id[85922ACE-3483].[[email protected]].8base mtx777.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2408 4360 WerFault.exe mtx777.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 872 vssadmin.exe 4160 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
mtx777.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings mtx777.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mtx777.exepid process 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe 5096 mtx777.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mtx777.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 5096 mtx777.exe Token: SeBackupPrivilege 5048 vssvc.exe Token: SeRestorePrivilege 5048 vssvc.exe Token: SeAuditPrivilege 5048 vssvc.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe Token: SeBackupPrivilege 4860 WMIC.exe Token: SeRestorePrivilege 4860 WMIC.exe Token: SeShutdownPrivilege 4860 WMIC.exe Token: SeDebugPrivilege 4860 WMIC.exe Token: SeSystemEnvironmentPrivilege 4860 WMIC.exe Token: SeRemoteShutdownPrivilege 4860 WMIC.exe Token: SeUndockPrivilege 4860 WMIC.exe Token: SeManageVolumePrivilege 4860 WMIC.exe Token: 33 4860 WMIC.exe Token: 34 4860 WMIC.exe Token: 35 4860 WMIC.exe Token: 36 4860 WMIC.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe Token: SeBackupPrivilege 4860 WMIC.exe Token: SeRestorePrivilege 4860 WMIC.exe Token: SeShutdownPrivilege 4860 WMIC.exe Token: SeDebugPrivilege 4860 WMIC.exe Token: SeSystemEnvironmentPrivilege 4860 WMIC.exe Token: SeRemoteShutdownPrivilege 4860 WMIC.exe Token: SeUndockPrivilege 4860 WMIC.exe Token: SeManageVolumePrivilege 4860 WMIC.exe Token: 33 4860 WMIC.exe Token: 34 4860 WMIC.exe Token: 35 4860 WMIC.exe Token: 36 4860 WMIC.exe Token: SeBackupPrivilege 2896 wbengine.exe Token: SeRestorePrivilege 2896 wbengine.exe Token: SeSecurityPrivilege 2896 wbengine.exe Token: SeIncreaseQuotaPrivilege 5388 WMIC.exe Token: SeSecurityPrivilege 5388 WMIC.exe Token: SeTakeOwnershipPrivilege 5388 WMIC.exe Token: SeLoadDriverPrivilege 5388 WMIC.exe Token: SeSystemProfilePrivilege 5388 WMIC.exe Token: SeSystemtimePrivilege 5388 WMIC.exe Token: SeProfSingleProcessPrivilege 5388 WMIC.exe Token: SeIncBasePriorityPrivilege 5388 WMIC.exe Token: SeCreatePagefilePrivilege 5388 WMIC.exe Token: SeBackupPrivilege 5388 WMIC.exe Token: SeRestorePrivilege 5388 WMIC.exe Token: SeShutdownPrivilege 5388 WMIC.exe Token: SeDebugPrivilege 5388 WMIC.exe Token: SeSystemEnvironmentPrivilege 5388 WMIC.exe Token: SeRemoteShutdownPrivilege 5388 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
mtx777.execmd.execmd.execmd.exedescription pid process target process PID 5096 wrote to memory of 3844 5096 mtx777.exe cmd.exe PID 5096 wrote to memory of 3844 5096 mtx777.exe cmd.exe PID 5096 wrote to memory of 1188 5096 mtx777.exe cmd.exe PID 5096 wrote to memory of 1188 5096 mtx777.exe cmd.exe PID 1188 wrote to memory of 2892 1188 cmd.exe netsh.exe PID 1188 wrote to memory of 2892 1188 cmd.exe netsh.exe PID 3844 wrote to memory of 872 3844 cmd.exe vssadmin.exe PID 3844 wrote to memory of 872 3844 cmd.exe vssadmin.exe PID 1188 wrote to memory of 1168 1188 cmd.exe netsh.exe PID 1188 wrote to memory of 1168 1188 cmd.exe netsh.exe PID 3844 wrote to memory of 4860 3844 cmd.exe WMIC.exe PID 3844 wrote to memory of 4860 3844 cmd.exe WMIC.exe PID 3844 wrote to memory of 4428 3844 cmd.exe bcdedit.exe PID 3844 wrote to memory of 4428 3844 cmd.exe bcdedit.exe PID 3844 wrote to memory of 860 3844 cmd.exe bcdedit.exe PID 3844 wrote to memory of 860 3844 cmd.exe bcdedit.exe PID 3844 wrote to memory of 4480 3844 cmd.exe wbadmin.exe PID 3844 wrote to memory of 4480 3844 cmd.exe wbadmin.exe PID 5096 wrote to memory of 5508 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5508 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5508 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 2236 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 2236 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 2236 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5180 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5180 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5180 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5720 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5720 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5720 5096 mtx777.exe mshta.exe PID 5096 wrote to memory of 5156 5096 mtx777.exe cmd.exe PID 5096 wrote to memory of 5156 5096 mtx777.exe cmd.exe PID 5156 wrote to memory of 4160 5156 cmd.exe vssadmin.exe PID 5156 wrote to memory of 4160 5156 cmd.exe vssadmin.exe PID 5156 wrote to memory of 5388 5156 cmd.exe WMIC.exe PID 5156 wrote to memory of 5388 5156 cmd.exe WMIC.exe PID 5156 wrote to memory of 5128 5156 cmd.exe bcdedit.exe PID 5156 wrote to memory of 5128 5156 cmd.exe bcdedit.exe PID 5156 wrote to memory of 5280 5156 cmd.exe bcdedit.exe PID 5156 wrote to memory of 5280 5156 cmd.exe bcdedit.exe PID 5156 wrote to memory of 1460 5156 cmd.exe wbadmin.exe PID 5156 wrote to memory of 1460 5156 cmd.exe wbadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mtx777.exe"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\mtx777.exe"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"2⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 4603⤵
- Program crash
PID:2408 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:872 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4428 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:860 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4480 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:2892 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1168 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5508
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2236
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5180
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5720
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4160 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:5128 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:5280 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4360 -ip 43601⤵PID:4296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2536
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2756
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e0985e7bbeb94a95b6891557eafaa17f /t 208 /p 57201⤵PID:5924
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[85922ACE-3483].[[email protected]].8baseFilesize
3.2MB
MD56c6777bf20869e2ce101b37758b68fa6
SHA17ca128302b914fe38ae47c6a577086ba1d29d9b8
SHA256a6398593fa39f115e90425ad0dd3b14891d803df2ee90c2ace49b67a29476ee7
SHA5127b4c3f4e611aee7f75af7b922151ec211c7337c1943dd773d84f618b84cfe13c494822275c5f2ac9e2edf3c56e02e2ffaba255e9a1be73d7f750d842602892e9
-
C:\info.htaFilesize
5KB
MD5e483282c6fbedcaa537d9dae75475b51
SHA19435c256f4675c9268deb7895ca4cdf8072c7226
SHA2567fb5f9a072a06cfa89420ed3f2ced8bce3557dc6a4ca0bde9cbd2bfcde1398a2
SHA5125d3c063eff5b30e2df89f01ec97ef5c383f6ca4935ab20d031a3f0c384b9c3ffdb38461f4d39c9ace083c91d0b12a523b82836e22313ecd3a980b40e673054ca
-
memory/4360-5-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB
-
memory/4360-7-0x0000000000AA0000-0x0000000000AAF000-memory.dmpFilesize
60KB
-
memory/5096-0-0x0000000000BC0000-0x0000000000BD5000-memory.dmpFilesize
84KB
-
memory/5096-1-0x0000000000BC0000-0x0000000000BD5000-memory.dmpFilesize
84KB
-
memory/5096-2-0x0000000002680000-0x000000000268F000-memory.dmpFilesize
60KB
-
memory/5096-3-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB
-
memory/5096-3853-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB
-
memory/5096-9028-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB
-
memory/5096-11978-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB
-
memory/5096-11994-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB