Resubmissions
28/03/2025, 22:50
250328-2r89gsvly8 1026/03/2025, 18:56
250326-xlfmrssqz9 1026/03/2025, 18:17
250326-wxdf4szyc1 10Analysis
-
max time kernel
107s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
26/03/2025, 18:56
General
-
Target
2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
-
Size
502KB
-
MD5
17cc347c7c544e98a18dacf02a25d619
-
SHA1
263aa440a706fe3aa909fd8b212185340e7ede94
-
SHA256
30a4d2ae21ec90ebdd415b90d2fe670ac5c0ffe54d0d8f7a01a54910ba1a8c45
-
SHA512
e686ac882f4fdbe0efb0833186640d61d75b3132d026e5f2e1da35a01efca371e63cea3953a33dfb29ce130e6b3e0103bfbda099fc3da092364cc43427e15aeb
-
SSDEEP
6144:eo2mNDxqElXchsLP3JRBNGJLEAxSKfC5ogn3WJGBV50DErWuuzgXmPdt:eo2BYd73FWLExKfcoaWJtDTv
Malware Config
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartRename.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD50ce7fd24421733b26d7f2624bf1aa7b3
SHA14e28daf1b1aeaf472dec7221da13904fb6de4793
SHA256e1e91ff8c41cd5962d0d96168a66fc5119748c33db37abc898eb070347ab6ab6
SHA51264ee61b7503dc2e4c62f7535bca25a597010c5bfce309e38b5c53431a9303347144ae0da8234538237a9b341b39bba5665b281ae202e57d39720ad28ce211e7c
-
Filesize
816KB
MD53e6e2726a06b0a698ea4f68e57331824
SHA1ec9f30407069e618a96b4d84ebc34aab791023e4
SHA2563ebf00a77a7446158b10d4045ef6800443f678b4bd52e779ceff3a22eed9e19f
SHA512cf1a5c6120f3b3843e8b2347251d7275cddf7eabe9c30c3a38f8963ef624cc3e8b3893b30394b2ec90f724dcb22eb51640c478cb6ddba247fb70973771195404
-
Filesize
904KB
MD5a415b2f2b0fb302734dfff27f06bde0f
SHA1ddcf189f9531d2a75d68c78f86bb933de81e9965
SHA2564bfa625d4effa5992e704931554cbda0eb6334bad0cc161ade327d935224dda2
SHA512b4f35538ccf0a0abbbefde8f7be79d2ab092eb28f15e782eae5f352da571c36a367a5a0ca93194c41c0ec56361909148337dd1616fff355954cd8eb9d9c13ed4
-
Filesize
1.0MB
MD54bc1406b7dc8020bfce31fcaa8b34143
SHA12a4894beb495924fcc1813f0584d7eb785a08d38
SHA2560ae8d5e1aac45232099905fcc2896d9f5af5e62630d8deb9eeaf8ba397d7eed3
SHA5127fc74cc44d40433072acb2743e143f2063641e5a523dc4ecbf33b2e17f446d9ae4925b5d7af318a8a53a08f73f53835782932e6f634551a9e793368ca1616718
-
Filesize
9KB
MD5fc8c512e122d5bbeb8c7c49ae7139568
SHA16c8998a84aaf5e9658897d28bdbd22b2b2fc7174
SHA256d3d042b3c7b44b76ba19af2112b55de1e581b4b20ac55f7dbc1e14c3824c2958
SHA512355f3dd4faf71b19f26de23f698cf5c3d5cec80bb13b4575d47589faa1f3ed21d35e027a328cca81ae0f74bc28de4460f7ce5dc4445db35157030e24f0f94f83
-
Filesize
595KB
MD55e941bb7c1c814a52e28d80392d5bd00
SHA18a210caf09187f8c9a6350e8245f0d7f4b3f2606
SHA256a979e6ad9c96b7d7cfcfc3bb9eda003be631932ca0bca9ac3b0cedc8b44bd12f
SHA512313ec3528f7228c6fcddb5effe787981ab63f88d64610183157e1ec7f12e228ca000d68848c04662b5beea4bbc73025f3bd269ee8afbd4bfb35101a4a7a750cf
-
Filesize
860KB
MD5333216f5a840f53dff86f09f0bcfd2bf
SHA1f2a225861110a772c579242b3c81edab720a7f2c
SHA2568eab2776fde68a205ffd07ceb84b84f4f41d8c8fb358c813e2cee3d45e398295
SHA51273366f43302b864714f5c182ee19f53c098a7d7f46cff021f0b7a59fc908c3bc28d53d8bf30e250de396a6dc9b0a455293b44a8cca29e9c2ae2ac013c61b12ca
-
Filesize
14KB
MD52d2e9e4df6f258972591e29d80c31871
SHA139796d28d6a180d69121b7a137dff8a862a50f06
SHA25609bd5def9786c6a8747281433efa2d2056ba939069239ffb290e7064d589d880
SHA51296319d2cc68a9b87ce20dec100c018492b8ab2458e554a985b7621d6d6512d543db484c2283aa5c9e896649017a21e0ac6f78427673491032944758b37f158a1
-
Filesize
463KB
MD52d38229352e2a0a73eae502457bd5124
SHA13dee213e2080414964fd87ccf88d612955debe96
SHA2568c929418b11457699fe257caa6f250c6fb54237a1212ae2959a1a0c848598a8e
SHA512e1099380a5624e5d053258d13c577545dad55609802b52448bec46b2d19e7eb58f95da0a530b3242328724f20326db8ad65975f821def5b540f2e60564d7de41
-
Filesize
1.1MB
MD5c6d7e848250729ae16a8ba670c2119a6
SHA10b182103eb9bf04f987daf85ef9b248005910224
SHA256f8dcf1032a6602dcc719ffe798d108f49a2fe5fab7079d8dbf74213c8052ca72
SHA512f647f9fb7646a3162ae0f3fa74c5c6eb1cc4afdfd9bcce22c3a86e01fa5b9523b312fc540ef9253a4b2a2d3f0cb48a4ee67d392627eafed081abd4590ec18cab
-
Filesize
639KB
MD5713b83bde87d0b492f25768c74ed74e8
SHA196255570574f41fcf96431eb61853169cf0ab31c
SHA2565d94a6c10a3f24848e8424b4a3f38def379220b8681766dcb9856fc920d14e30
SHA512558325f24f18ffca603298626b1215f77db04a691bd14a039ae4a5163dafec9a7836a83e7173ab7cd1302018fc8281d3c425aae0e36aa6bfacac383a277b2439
-
Filesize
992KB
MD5207e97a07c4c519f1004a823d031b24f
SHA11647ca3997d116b9c0cdf3191e3f4c3d440bad11
SHA256005c0b31f79fb636a222be480847012530d87b4cb64eccb3289f36d859949dc5
SHA512244fe6841c8ea3d09a63a234237321262f531dce6b0d17d86df0df3efc1ce6c0d32c8847ee4c8b9adf9702d747939738bfe0033b2830ddb3aec15d82bf266a51
-
Filesize
1.3MB
MD588e23a60de66022971731f9880132813
SHA1defdf65668f2601af254c9d761814cefa4b4c0cc
SHA256e3f6b6116cec707208699e7afb0db1419fa3616ca6f3cc1e75fa321bbe0d90cc
SHA512db7ffbcb1f892c2d4957c4258d5682e33aa176858bd4b7f050695aa1afbabd0c3bbf54cea0eb3f3e548480d950d9b6f2b0ae891522e558159eef7a99728a3e68
-
Filesize
1.1MB
MD510b6065270b3db8b5ee7e2bca5e44c90
SHA109c41a697e17edf465b23b8e3c0d99c8e1334c43
SHA256af5d982b3090826c9641236c227b98ab3b200844926754c22e78e4ab9f9fd109
SHA512b7eb531e40bcb66d5dd4826bb7d31994153a12cf15f12b1d2ed5aed37644b2c4c11c8dbc542d6994ed7ca0f072ba02cba6d712037e3e1cfcd33285928b5688f0
-
Filesize
684KB
MD5c308fe14e111f8c71db1bce1f2d3eaef
SHA1705b98668b706024ea27e8a665568fda905e3d44
SHA25693265f7ae4b896bb94346acd60f5392d6c061c6344263fc569a1e3ee6a582e9c
SHA51284adf7f39c22b556b6f7d7e0f43a7122bd748daee0903b18093cb64b757d3a139057cea1eb969e3154ffe0a1d4caf88bb5047d0358735630bce2061198cc86a7
-
Filesize
15KB
MD57609f0b8e90c8b470903455b60f83f13
SHA19caaade63ad62a960263276ce9ac6f750c939379
SHA2561eac037b9acca86c89f7809a84039c338ac9921e36afc13547f5686a20531e12
SHA5121bbbe05c22d2c552c992e04a7aa96d9cb8a6346df1c8367c9c74e160839ae4c2043933d63a66140c770f0b368b11d03d54a2e9e370fc8c56d7c150faf2ba3f5d
-
Filesize
728KB
MD532726ea8cad2527bebde5c220adfccef
SHA18b5fe5c9bd4027712d53aff2a3c773b68d873137
SHA2565793c79051d961e05c4d04fbb7223fb372e0b11df1c8c69f73a88f1369493ddf
SHA512f97daeef310a7c3c917b547b45814129d29c9775d124dc73b7d76e9dfb23bfc9dec56e6c8d95f1bb4c3525ab4367e3a4aa64d495d6f3079f39c0f1aac32da118
-
Filesize
14KB
MD586495b99de28f79caaadfe39d6fd9854
SHA1b9196caf1547c5c7b56b55f40d15de69fd7f8ff6
SHA2561506a447e4413019ba097fb2de6ca98fcc1c4bf0810eaebfa1aa715b460d5e91
SHA5125b9a437667cb9e5615560c1cd47d27faffb7dc95cfec77652f528e38205e7a634b050e126b4ffcb161c5b8b4cc48aa1c700c232376ab4a8eee567ac9dd191cad
-
Filesize
1.8MB
MD556fae90a7f557fbd6abd42e73959d786
SHA1212c46ea2bd3ec6ce68d8284b43976d05433d604
SHA2566f70cf458ed104dc0be840590003095e96129c252ad442715ea5619a85ffac1a
SHA5120cf06249ee8a9dd49af0b2e40f54139383884567688e49e582f0246b8696023a03173ca70cac47df82893dc90b7b074031cafbd6f06d9194c71a8118ba463651
-
Filesize
507KB
MD5b072b6233f66b928194a8bc7577b5db8
SHA173c2a345920141bd939d9e91dfef4e18806feff9
SHA25679f69df05dc50a1de53c805c17583c2e92e511d8c9d26ca3d067e7f68ed9bcfb
SHA512d418b71f943d31dbde5669659a6698d5228148d3769b3ee2300a47bb2ca7c7e70452681b4636730a43f9dd0673f0f5356257f3882015473582158f669790c82d
-
Filesize
1.1MB
MD531ceba7e81210e62cd27362cdf172964
SHA18cc9487b4f7f6c537e5d416fadd71fd1cf287cb3
SHA256d1ff133cc23dfb01cd3de2aebc58a07231e05615b48aef2ca032faee83af7fe2
SHA512ec63c8d9809c0392fee978dd44e45be4bea75c9f71f62253ec6e835805c85cd37314decc5109f86c8e1aad11824f959b69c957c4099e875f5ffd679be7cfa7b9
-
Filesize
948KB
MD576728569e2403d2fa238b3d162d1b069
SHA1d561689cb7913c87b8257e0b93ecc1b9b7a92d67
SHA2568eec32f98b8776b65e23fe415b2953ad66f0bc9f2cec8fd53b691d0385aa2297
SHA512eef877706536f4804bc266e30eb00011be08d5d460c55c68ee249b77202631c54b4c5cc2ece2b5faf344280462101bee6d8b5f3216f825e280270ce0ec43c580
-
Filesize
1.2MB
MD5d0d9bb8c580c59e1a38233e669da730e
SHA13466cd44292e7e55c79c412fa284fc6a57f16384
SHA25602c644a4225a1783fbeca35ee5e0ae87600448f9502f6bd65b683619a9316be8
SHA512586701ca6b276f8fbcb06a8ace44d169e4f6bb42ddb50fbd68014f768a0b852dfe3537b79f95f0fdc1f04ed8dc6882db2da244ea4efe74c8e3c24970176a3bb1
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
