6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:29

Target

2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe
Size

736KB
MD5

18e5e760b807fc2b05172215540398b3
SHA1

6a1b4d3227088473c45869469b68a1737b26b90d
SHA256

6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd
SHA512

23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04
SSDEEP

12288:oaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OnP3cqXoi8TMkoleH5/:cw4GBpehMjcuP5b4FtyU/oiwMTleHKLu

Score

1^/10

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2748	2692	2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe	30
PID 2692 wrote to memory of 2748	2692	2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe	30
PID 2692 wrote to memory of 2748	2692	2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe	30

C:\Users\Admin\AppData\Local\Temp\2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_18e5e760b807fc2b05172215540398b3_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2692 -s 44
  2⤵
  PID:2748