Malware Analysis Report

2024-09-11 01:08

Sample ID 240318-s3vqsscb67
Target mtx777.bin.zip
SHA256 952a3c337089fe419c4790a4cf9a9ffa38406b71ac8b2ef72bc33e64751dbd69
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

952a3c337089fe419c4790a4cf9a9ffa38406b71ac8b2ef72bc33e64751dbd69

Threat Level: Known bad

The file mtx777.bin.zip was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (495) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (320) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-18 15:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 15:39

Reported

2024-03-18 15:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (320) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mtx777.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5B8DS9TT\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CJQLK5UF\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z9MW37VJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKWCFGN8\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MRWZP5ZY\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y3HLRHFA\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQHF6B80\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPSideShowGadget.exe.mui C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.js.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14513_.GIF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Adak.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107718.WMF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PREVIEW.GIF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240291.WMF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ROAD_01.MID.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre7\lib\jvm.hprof.txt.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baku.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\ExportRequest.jtx.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Customer Support.fdt.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre7\bin\jsound.dll.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF.id[76B00CA7-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1940 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1940 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1940 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1940 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1940 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1940 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1940 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1940 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1940 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1940 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 1828 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1828 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1828 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1828 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1828 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1828 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1828 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1828 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\mtx777.exe

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

C:\Users\Admin\AppData\Local\Temp\mtx777.exe

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\info.hta"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt

Network

N/A

Files

memory/2940-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2940-1-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2940-2-0x0000000000240000-0x000000000024F000-memory.dmp

memory/2940-3-0x0000000000400000-0x000000000092B000-memory.dmp

memory/800-6-0x0000000000250000-0x000000000025F000-memory.dmp

memory/800-5-0x0000000000400000-0x000000000092B000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[76B00CA7-3483].[[email protected]].8base

MD5 38ca5cc3b95a605327e5c7fd167a99f1
SHA1 e9fb74f7441bc8bb44ffcb2a2b31eda28c1afa72
SHA256 20de9d2700e6117a8d2ab74d9436c5499d373c7494d22b4e477fbd6dcfd724c2
SHA512 224618880a94af7b51f6eae85a68a5b71d5b83a0ac2174e35fe16f13de41285a8ae722247e1bef96216809be0766cf5cd4b28a23ea7a57c7ebc8ca7ca3aedf56

memory/2940-369-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-1511-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-3136-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-3772-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-4499-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-7271-0x0000000000400000-0x000000000092B000-memory.dmp

memory/2940-9343-0x0000000000400000-0x000000000092B000-memory.dmp

C:\info.hta

MD5 019c6204123aeb87a19d73cdac46120f
SHA1 7365c63fada9ce39d8af112dd91dbf0420988d43
SHA256 7405d8c7aa26c3ce3110b97a76238c84b8cd781684da297e239e3485f46268ca
SHA512 f29f31e71c231c02ad5a6fbee219d7b737d0f969e7426a8c13996b9324729104d18e4552a66aa7c661c5d9a9fab8d59ad10f3eca78f5f02649c9acc192d2463f

memory/2940-10182-0x0000000000400000-0x000000000092B000-memory.dmp

C:\Users\Admin\Desktop\info.txt

MD5 785cafecedf21b32589f303a8a490a6a
SHA1 5388d3b2a40734142918364eadc02b4429d856e3
SHA256 e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932
SHA512 4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 15:39

Reported

2024-03-18 15:40

Platform

win10v2004-20240226-en

Max time kernel

69s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (495) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mtx777.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777 = "C:\\Users\\Admin\\AppData\\Local\\mtx777.exe" C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Specialized.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmMDL2.ttf C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_24.svg.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\net.properties.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_fi.json C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4 C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Console.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-125.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\PSGet.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_te.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\PresentationFramework.resources.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v11.1.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Input.Manipulations.resources.dll.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ImagePipelineNative.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mt.pak.id[85922ACE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\mtx777.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1188 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3844 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3844 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1188 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1188 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3844 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3844 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3844 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3844 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3844 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3844 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3844 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3844 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5096 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\SysWOW64\mshta.exe
PID 5096 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\mtx777.exe C:\Windows\system32\cmd.exe
PID 5156 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5156 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5156 wrote to memory of 5388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5156 wrote to memory of 5388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5156 wrote to memory of 5128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5156 wrote to memory of 5128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5156 wrote to memory of 5280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5156 wrote to memory of 5280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5156 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5156 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\mtx777.exe

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

C:\Users\Admin\AppData\Local\Temp\mtx777.exe

"C:\Users\Admin\AppData\Local\Temp\mtx777.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\e0985e7bbeb94a95b6891557eafaa17f /t 208 /p 5720

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp

Files

memory/5096-0-0x0000000000BC0000-0x0000000000BD5000-memory.dmp

memory/5096-1-0x0000000000BC0000-0x0000000000BD5000-memory.dmp

memory/5096-2-0x0000000002680000-0x000000000268F000-memory.dmp

memory/5096-3-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4360-5-0x0000000000400000-0x000000000092B000-memory.dmp

memory/4360-7-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[85922ACE-3483].[[email protected]].8base

MD5 6c6777bf20869e2ce101b37758b68fa6
SHA1 7ca128302b914fe38ae47c6a577086ba1d29d9b8
SHA256 a6398593fa39f115e90425ad0dd3b14891d803df2ee90c2ace49b67a29476ee7
SHA512 7b4c3f4e611aee7f75af7b922151ec211c7337c1943dd773d84f618b84cfe13c494822275c5f2ac9e2edf3c56e02e2ffaba255e9a1be73d7f750d842602892e9

memory/5096-3853-0x0000000000400000-0x000000000092B000-memory.dmp

memory/5096-9028-0x0000000000400000-0x000000000092B000-memory.dmp

memory/5096-11978-0x0000000000400000-0x000000000092B000-memory.dmp

C:\info.hta

MD5 e483282c6fbedcaa537d9dae75475b51
SHA1 9435c256f4675c9268deb7895ca4cdf8072c7226
SHA256 7fb5f9a072a06cfa89420ed3f2ced8bce3557dc6a4ca0bde9cbd2bfcde1398a2
SHA512 5d3c063eff5b30e2df89f01ec97ef5c383f6ca4935ab20d031a3f0c384b9c3ffdb38461f4d39c9ace083c91d0b12a523b82836e22313ecd3a980b40e673054ca

memory/5096-11994-0x0000000000400000-0x000000000092B000-memory.dmp