636e55648c9d3fc08bc814e01765f34e71db576aef5397e16e6498d3a7ee7f7e

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe
Size

3.9MB
MD5

5adcf9918838e95aa439ddcc4217c8e1
SHA1

8ae5c3de8cb1e9788bdd2a09e840b31348cd76c0
SHA256

636e55648c9d3fc08bc814e01765f34e71db576aef5397e16e6498d3a7ee7f7e
SHA512

cc48b85171edd62861f4eca49980e9353e8f0a65fdcec9f34928ce8f7e1bfbef932c28cdbcf2aa1f0c53490affd6d87c1fb5d7a62cb29e02fd924e797db15352
SSDEEP

98304:zziZpcTIjmxUPjRJjPmEriDJbg5ajTd806/x/rMsr:zzqGMfeEmDJM5andZ6J/Asr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1536	1.exe
2700	1.exe
2756	icsys.icn.exe
2236	explorer.exe
2516	spoolsv.exe
2172	svchost.exe
1720	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
1536	1.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
1536	1.exe
2756	icsys.icn.exe
2236	explorer.exe
2516	spoolsv.exe
2172	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2856	2700	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
1536	1.exe
2700	1.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1536	1.exe
1536	1.exe
2756	icsys.icn.exe
2756	icsys.icn.exe
2236	explorer.exe
2236	explorer.exe
2516	spoolsv.exe
2516	spoolsv.exe
2172	svchost.exe
2172	svchost.exe
1720	spoolsv.exe
1720	spoolsv.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1536	1892	2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe	28
PID 1892 wrote to memory of 1536	1892	2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe	28
PID 1892 wrote to memory of 1536	1892	2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe	28
PID 1892 wrote to memory of 1536	1892	2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe	28
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 1536 wrote to memory of 2700	1536	1.exe	29
PID 2700 wrote to memory of 2856	2700	1.exe	30
PID 2700 wrote to memory of 2856	2700	1.exe	30
PID 2700 wrote to memory of 2856	2700	1.exe	30
PID 2700 wrote to memory of 2856	2700	1.exe	30
PID 1536 wrote to memory of 2756	1536	1.exe	31
PID 1536 wrote to memory of 2756	1536	1.exe	31
PID 1536 wrote to memory of 2756	1536	1.exe	31
PID 1536 wrote to memory of 2756	1536	1.exe	31
PID 2756 wrote to memory of 2236	2756	icsys.icn.exe	32
PID 2756 wrote to memory of 2236	2756	icsys.icn.exe	32
PID 2756 wrote to memory of 2236	2756	icsys.icn.exe	32
PID 2756 wrote to memory of 2236	2756	icsys.icn.exe	32
PID 2236 wrote to memory of 2516	2236	explorer.exe	33
PID 2236 wrote to memory of 2516	2236	explorer.exe	33
PID 2236 wrote to memory of 2516	2236	explorer.exe	33
PID 2236 wrote to memory of 2516	2236	explorer.exe	33
PID 2516 wrote to memory of 2172	2516	spoolsv.exe	34
PID 2516 wrote to memory of 2172	2516	spoolsv.exe	34
PID 2516 wrote to memory of 2172	2516	spoolsv.exe	34
PID 2516 wrote to memory of 2172	2516	spoolsv.exe	34
PID 2172 wrote to memory of 1720	2172	svchost.exe	35
PID 2172 wrote to memory of 1720	2172	svchost.exe	35
PID 2172 wrote to memory of 1720	2172	svchost.exe	35
PID 2172 wrote to memory of 1720	2172	svchost.exe	35
PID 2236 wrote to memory of 1508	2236	explorer.exe	36
PID 2236 wrote to memory of 1508	2236	explorer.exe	36
PID 2236 wrote to memory of 1508	2236	explorer.exe	36
PID 2236 wrote to memory of 1508	2236	explorer.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - \??\c:\users\admin\appdata\local\temp\rarsfx0\1.exe
    c:\users\admin\appdata\local\temp\rarsfx0\1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 208
      4⤵
      Loads dropped DLL
      Program crash
      PID:2856
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2236
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:28 /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
    - - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        5⤵
        
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0d7f87cd1ef80f0ebacdf7fa79b8783c

SHA1
7edc1b4e25ddf7b40b3f44d63ac81cde68e18f16

SHA256
c7365d9b27b0f23a2318bd60c6e21f45e0c9d439c1c5533ffbed54409e13b16c

SHA512
667e3af135fd18c1ae4a6f7c488a32eb6a2bff642a3820262ef00fda1e1b7dafeacd656384d5f8092625c1a353ddb7d2b04e68bbf6fe40b8fbef0b988a959b4d

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
32934efd882389859edec5ec83e00b77

SHA1
7b20566031a7226f70f5c40c9168a988a2e86976

SHA256
410f8aa97aea1104624e8e312d103087439e3273ae23c934e8132bd3ce16ca83

SHA512
adc807ccf6c20d17f73c21d2f32497d65ebf05784f2b64c487695d9b6afbfd3137fbd64ec475c361932eeedb092f91e5a2952cfd83d83f1c55feb8444d400b4c

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3735d8a615b3d6e522f2d81c68090bd6

SHA1
92f51c0bcaa4b614bdf3edef35baaabf54ae73cf

SHA256
a6f0ddf2a949c7ce020bce2db460d13bad60915f34f3eed0da2a7a483b2efe5b

SHA512
c89fe9c2efac4e99235dcca130bf5b5be9f31db687569f65f32b40249a249b82312d434384593190637a5f2bddad84d580b516d6d536801412f7672871e2b36d

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
07bd0f912e07dd39468bb2272d2150a0

SHA1
2c94cba4e7b3adaff5af97304bfb9b3632c17bca

SHA256
442935c4b4486e0df73f7f572dfe8bf0551672d07d2909e764eaf9d13f34d070

SHA512
625511176024364c0fafe4b977d7ce904c3b2fa22fae9210765f8b88a3ce7b81992c0bc04705607fe58ce82844a944ee0f513b3ade382e5e15a0e036983db8de

Download Submit
memory/1536-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-35-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/1720-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2172-74-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2516-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-24-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2756-48-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download