lockbit | 30a4d2ae21ec90ebdd415b90d2fe670ac5c0ffe54d0d8f7a01a54910ba1a8c45

Resubmissions

28/03/2025, 22:50

250328-2r89gsvly8 10

26/03/2025, 18:56

250326-xlfmrssqz9 10

26/03/2025, 18:17

250326-wxdf4szyc1 10

Analysis

max time kernel
66s
max time network
65s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Size

502KB
MD5

17cc347c7c544e98a18dacf02a25d619
SHA1

263aa440a706fe3aa909fd8b212185340e7ede94
SHA256

30a4d2ae21ec90ebdd415b90d2fe670ac5c0ffe54d0d8f7a01a54910ba1a8c45
SHA512

e686ac882f4fdbe0efb0833186640d61d75b3132d026e5f2e1da35a01efca371e63cea3953a33dfb29ce130e6b3e0103bfbda099fc3da092364cc43427e15aeb
SSDEEP

6144:eo2mNDxqElXchsLP3JRBNGJLEAxSKfC5ogn3WJGBV50DErWuuzgXmPdt:eo2BYd73FWLExKfcoaWJtDTv

Score

10^/10

lockbit ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Renames multiple (135) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\N:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\V:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\W:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\X:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\D:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\I:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\K:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\M:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\S:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\U:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\Y:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\B:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\L:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\O:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\Q:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\F:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\A:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\G:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\H:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\P:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\R:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\T:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
File opened (read-only)	\??\Z:	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WindowsData\\desktop.bmp"	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\Desktop\TileWallpaper = "0"	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\Desktop\WallpaperStyle = "6"	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "lockbitFile"	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\DefaultIcon	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\DefaultIcon\ = "C:\\ProgramData\\WindowsData\\redfile.ico"	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\shell\open\command	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\shell	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\shell\open	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lockbitFile\shell\open\command\ = "notepad.exe \"%1\""	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
4064	2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	taskmgr.exe
Token: SeSystemProfilePrivilege	4216	taskmgr.exe
Token: SeCreateGlobalPrivilege	4216	taskmgr.exe
Token: SeCreateGlobalPrivilege	5116	dwm.exe
Token: SeChangeNotifyPrivilege	5116	dwm.exe
Token: 33	5116	dwm.exe
Token: SeIncBasePriorityPrivilege	5116	dwm.exe
Token: 33	4216	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4216	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe
4216	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-26_17cc347c7c544e98a18dacf02a25d619_black-basta_cobalt-strike_satacom.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ApproveConfirm.wdp.lockbit

Filesize
666KB

MD5
dfc8e48664443ea38b7336b9e041c761

SHA1
29256b48b1ae0075d20d202a1bc58a2a0babe773

SHA256
e9bf9e97e828f0369de8335b72fbf1a3834f200889ca185e449142e6d6af3829

SHA512
c2caa8e646b0e43ad17686ee816b13c96008a50582d03a02347ca5d2b328f79a7fb79276b3f9c7ee50f59ba9b4e94a84a016ac458f307baff68a9f07fee72232

Download Submit
C:\Users\Admin\Desktop\BackupSearch.xlsx.lockbit

Filesize
14KB

MD5
8c16fd094b6a0c881ee26fe1e48b1f61

SHA1
f5cf9d0f82562c43690cf70ce9542e8cebee828c

SHA256
db2c5f4f5916f6a2abb196d54b2103a77d026d3ed75981aa1b5efd1aa33ac4da

SHA512
8ad0e4f48779ec9fc0aa98b0cbfbca51fbf1496b1fbba6d1774bd3bbdd4cce5c73b79c87bb3f29356199e16578b126feef05bd12c3c042b8e72e9d0927ba7812

Download Submit
C:\Users\Admin\Desktop\BlockRestart.vssx.lockbit

Filesize
439KB

MD5
75db8b81efaece0378298f91e125625d

SHA1
d070b0d046f8c968a7645fc708e059eb9926c65b

SHA256
85b6a8f878f8eda1fc66e3f9ff0f033bbce6a74ac5ff3c8ee7302a2c65faec8a

SHA512
b22ca65296cb020e5237053132cba2a4b30a1f1f721a49b8d6e71675e40d61372898dfc0750201388118a55f01a7a355608d91b565e58138010732fc33d6bdae

Download Submit
C:\Users\Admin\Desktop\CheckpointCopy.001.lockbit

Filesize
634KB

MD5
cd0d47580abe42f987df2ec0a0fa731a

SHA1
a2d5f0d3e021a1ebb9507bd56249d0e4edc93ebc

SHA256
57e99b4e9ef64eb2901f8804f72fa002e5614c509c36d81fe81200c0e8d1d469

SHA512
5604a7d2e5270350e872d2728460aeabf40ecce0c9ef2f819cac23aed72cc531b2dee30e2b74a1964141b7d4737b059e03e3edeb775bfec03b00c700801ac550

Download Submit
C:\Users\Admin\Desktop\CheckpointUpdate.raw.lockbit

Filesize
504KB

MD5
65a9050c5642a6cd625548fe4bff088d

SHA1
6af671bf6697e940266b5fcda9872ddd205bbef6

SHA256
699d1c2657a03d2731daf972e05b83dfb0ddfbf835203b8d12919003e83e3280

SHA512
997777e69f9bc3f5d05aa20e183ae7c6b0cde5ecdc2af4fc936b7b01c25a5f5f1b0eaea000ba924d4187f35f1bf36d2e1349255c2642724cfdb9b14177008de0

Download Submit
C:\Users\Admin\Desktop\CompareResolve.potm.lockbit

Filesize
731KB

MD5
161e718dabbdcf754fe314df8faeea46

SHA1
71cf3e4bead1fb147b23ab3577b0cd291c54bcde

SHA256
95beb0f70fea1c2614835a68ab538608abaa4baf785092b3de8f7479399386e3

SHA512
75d9a5a34b74c59eb864e904f31a14a2778d2a498e93d1ebac27c99864146bd039b82fbe2a79dba0cb9ae7fc5f5e560f980bae8571629b7849023d1d3ab3dd57

Download Submit
C:\Users\Admin\Desktop\ConfirmMerge.dotm.lockbit

Filesize
829KB

MD5
4e4e99f5fbff5b318178c2bdc04b797b

SHA1
d12a8600c1fb5a61eea33d1c0b9d91a0f1cca1be

SHA256
ced1e07ca1a7936f43f79eaa6716b3753a440a41c5c2494c067a2e360d560c9a

SHA512
b5966acc98d47f1e45c845474d635d73d33d9dce7caabd6d68d37a67adf2b522a4b036ba2e04af6f95feed26fd5668d595813f33fed9700a8276ee8ab493a0e5

Download Submit
C:\Users\Admin\Desktop\ConvertOut.easmx.lockbit

Filesize
926KB

MD5
08458e1dec2798781bc3033fb334d056

SHA1
8360ba633d346e43dc34a4e5c764f9c271c3f13a

SHA256
00c8463c9247ddffe3bb6a9a484e67d4e14024ed1ab04814ac70aba674de6289

SHA512
75b6513a5e560fffd4a8bf405cfd913edd5a9fd25381de8f188befebb45a124508f98de74a6feef2067339645ef812bb51b114c6440d2ccee251db26d35ebc4d

Download Submit
C:\Users\Admin\Desktop\CopyPop.aif.lockbit

Filesize
601KB

MD5
00dfd1680ed80aad620b963f623ab206

SHA1
4f177106a0467735d2097a64489b1ac95e60cdb4

SHA256
85536ec7744e050f20df54d2d397e6c73cb2ba7529d8a785491638e607b769ea

SHA512
f411def25a1d42c78382e58f9885424a0fdbe5bd02b0f236f028288c5c90479d71bed452c490c40de57cd34f81de82e2949a521fd4cea8b9b3a93c8fa3cadf4d

Download Submit
C:\Users\Admin\Desktop\EnterWrite.odp.lockbit

Filesize
569KB

MD5
ff9c7c589e7299be3b37acd095a9f266

SHA1
86b3f58c2810286194d0f284c4ccc669aaa3b3c3

SHA256
2931338c243c2a4af568d08866196f3c4bd31daa8c80d05d164fc18e8c5ab7ba

SHA512
61835c0543bd51592d4a1799960379cac28ef239afe956511a05a7d25a67303bfd3bb8ab8af24da20cfc58a8fab814417a49b9fa016b95c7679de4972d91da21

Download Submit
C:\Users\Admin\Desktop\ExpandPublish.mht.lockbit

Filesize
894KB

MD5
544a47c187be0e90e5e9ada305cec37e

SHA1
8a20ee24dae3c7602ed609fc5b91ce6c7a1f6813

SHA256
f92c8e173ae5407450864aaf9bb25854c1d65abec670f5eb33a8aa318b766109

SHA512
f47f7995ba6540bf4e0700eeacac29429358fc4f5c8ba44daeab3cf3f91ece17f29e980705a2604c5c2d3dd2a7a19bf807d27930354cd6bf0e124034b4b708cb

Download Submit
C:\Users\Admin\Desktop\HideConfirm.avi.lockbit

Filesize
1.3MB

MD5
e15331e1ad1d1511f4bc41f8f38ed895

SHA1
5d98204893e9c8f82c81b69ffe3c804632ff439c

SHA256
f79f43a6787d24b8dd869133788768e3e8436a846fe2bcfdc9b2ededefc61d2e

SHA512
d981b41d857ffb6ede40a701e0b158653c77b98c0bd94030f626de8319ed1ca4ca29e2e1b4c0f41cd0e39250f870f1b13dc59bbff92367a8e0cd78255d8c0368

Download Submit
C:\Users\Admin\Desktop\PushWait.M2T.lockbit

Filesize
341KB

MD5
edbad7c7d2fb0402ad5cf562c66ebc4a

SHA1
7ab50ac90b4a406eb8cffb13a036c14e24fd490c

SHA256
de068dc50ceeabfc6851a3db88e1b021c3438b5f12806817cb5a89a8634a84ba

SHA512
2d997f6be0d1b5df92a30dc665a9f73b723bf86d707af9c1fc7e666533c2577ab9aa8100e147cfeaac77c9f4210251012c840e5d24357c9ed03aa035433ad447

Download Submit
C:\Users\Admin\Desktop\ReceiveClose.dib.lockbit

Filesize
699KB

MD5
daca80aa5057651e83b5fdc16d0eae89

SHA1
6df054d03d8efed5099cf472f62507959c814864

SHA256
abeac4ea8c196e835ad572c3f03963d0048d977b355a1b5333004759912824ea

SHA512
1d52e5ec9a404eb109ef0ba6d85323621fc0a41ad6381cbc728e42af7f01591984e041a1453a4e20e56630ecb7a155524a7d28f87d5125a7fc269348d2a1b7ec

Download Submit
C:\Users\Admin\Desktop\ResizeExpand.wvx.lockbit

Filesize
536KB

MD5
2f8afdb98322549d38ddffaef743c256

SHA1
495847d7debff1e879584003620897aef311ff30

SHA256
e7bdc982770cf493ec0513049d0567483b38407800390a61957dc07e4626eda7

SHA512
4e8b071b835f564fb9f85880e338ec2d01001cefafc20d65ece5073d73855a7b80e8dc5f6763b7bc83fef9aa7979a94f33299d5242bbf6f9c1f11c9cccdc9444

Download Submit
C:\Users\Admin\Desktop\SaveResolve.vstx.lockbit

Filesize
796KB

MD5
50000bae2f63a775a0e6f299bcd84f26

SHA1
962145f2b545ddd68f0d992024f27a25b6955e14

SHA256
87ab04ba37a7959f8eb7c0237682b3f1dd5043307aba9816d0ca61a1754e4eca

SHA512
13bbb2cb22accde1c87caffa962d8d2a2241900f054ff4c92ef80d71154c802171b5dd719e129a9b908598cebad7fbff0f06876c6dd0265270d11529058448a4

Download Submit
C:\Users\Admin\Desktop\SendDeny.wdp.lockbit

Filesize
471KB

MD5
9a36fea31e2f605b7b850a7f8e5e4d0f

SHA1
34cdc7c67aef6d76bf3dada805a4001f60f5d948

SHA256
44129dcab81ffca5e4b8f7cace008d47c3fccb5775f2b9c689e0493771cbad22

SHA512
81b813f28dc4c8248a8fc49083a6f2e410654e49f93ae7c0c97c9adbdb19d7de8df19fb53227ee7f49889daccc2b3b0578bf1da31a0bab7fd848ab79e7c60531

Download Submit
C:\Users\Admin\Desktop\ShowPush.dib.lockbit

Filesize
764KB

MD5
f0e0bc0a4cc379cf2a2daf56d0984073

SHA1
b2fb5a8e783e37ab657b83f61e6eec9f27fe53ad

SHA256
dbcc7dab8f272a49521c871293a728463682a4957b516625b8d453aed0b589cd

SHA512
d20ac04c711c98e2f567d25245dc617b020a7b61890a9f03b6d08335d81357c88c965f63e0cd5628368a4f73e0cf601a89b891cf3b650d9f98d9a956ba2a42be

Download Submit
C:\Users\Admin\Desktop\UnlockSkip.docm.lockbit

Filesize
861KB

MD5
2167085008d9a17136be09bdaac62b80

SHA1
19dc99e0b6ace8c71db5e92af47412a3d934c01a

SHA256
dbd38baa3704c5d6ed86f94a470d8dbba53ff4c07b53f8fcbeb7500d8e83a46f

SHA512
608ec24b964a30cf3358c155d7767220ac0a1705936485d66ae103ead5efce356aedcd4ad76f92d215574013535c1afacd43b7b163250fc1d8cc870fad068037

Download Submit
C:\Users\Admin\Desktop\WatchRemove.xlsx.lockbit

Filesize
12KB

MD5
848077dfd7a5254d85116bd82284dc81

SHA1
e80353b0701eef7eac35df619278c70cdcbb8573

SHA256
b3c59524150d6ca86175f69676b23dc05cfe72fd93609cfe6cad994cabf29ca2

SHA512
136abfc162844af4eaf2e35ed816152c502e5c57cd4750d4ae7a61e094102ed70711d55d4140b59ee31112969787d627aaeab95b70ddfe544076d68b431d8cfb

Download Submit
memory/4216-449-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-450-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-451-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-455-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-461-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-460-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-459-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-458-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-457-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download
memory/4216-456-0x00000254DE390000-0x00000254DE391000-memory.dmp

Filesize
4KB

Download