Analysis
-
max time kernel
15s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
-
Size
1.4MB
-
MD5
01fd0cce549b50e9b0749b453cd47f37
-
SHA1
776a26733dd24d5e1d365a68a667c8dc571f8b2a
-
SHA256
744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564
-
SHA512
a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8
-
SSDEEP
24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\iqvw64ehandle.sys 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe File created C:\Windows\System32\drivers\iqvw64e.exe 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EpRywFQVzPSZn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EpRywFQVzPSZn" iqvw64e.exe -
Executes dropped EXE 2 IoCs
pid Process 4716 iqvw64e.exe 4716 iqvw64e.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1626346319" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5180 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 884 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4716 iqvw64e.exe 4716 iqvw64e.exe 4716 iqvw64e.exe 4716 iqvw64e.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 4716 iqvw64e.exe 4716 iqvw64e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 4716 iqvw64e.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe Token: SeSystemtimePrivilege 1668 svchost.exe Token: SeBackupPrivilege 1668 svchost.exe Token: SeRestorePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeSystemEnvironmentPrivilege 1668 svchost.exe Token: SeUndockPrivilege 1668 svchost.exe Token: SeManageVolumePrivilege 1668 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe Token: SeSystemtimePrivilege 1668 svchost.exe Token: SeBackupPrivilege 1668 svchost.exe Token: SeRestorePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeSystemEnvironmentPrivilege 1668 svchost.exe Token: SeUndockPrivilege 1668 svchost.exe Token: SeManageVolumePrivilege 1668 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe Token: SeSystemtimePrivilege 1668 svchost.exe Token: SeBackupPrivilege 1668 svchost.exe Token: SeRestorePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeSystemEnvironmentPrivilege 1668 svchost.exe Token: SeUndockPrivilege 1668 svchost.exe Token: SeManageVolumePrivilege 1668 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe Token: SeSystemtimePrivilege 1668 svchost.exe Token: SeBackupPrivilege 1668 svchost.exe Token: SeRestorePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeSystemEnvironmentPrivilege 1668 svchost.exe Token: SeUndockPrivilege 1668 svchost.exe Token: SeManageVolumePrivilege 1668 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe Token: SeBackupPrivilege 1668 svchost.exe Token: SeRestorePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeSystemEnvironmentPrivilege 1668 svchost.exe Token: SeManageVolumePrivilege 1668 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1668 svchost.exe Token: SeIncreaseQuotaPrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1668 svchost.exe Token: SeTakeOwnershipPrivilege 1668 svchost.exe Token: SeLoadDriverPrivilege 1668 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5304 wrote to memory of 3408 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 5304 wrote to memory of 3408 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 3408 wrote to memory of 884 3408 cmd.exe 89 PID 3408 wrote to memory of 884 3408 cmd.exe 89 PID 5304 wrote to memory of 4552 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 92 PID 5304 wrote to memory of 4552 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 92 PID 4552 wrote to memory of 4716 4552 cmd.exe 93 PID 4552 wrote to memory of 4716 4552 cmd.exe 93 PID 5304 wrote to memory of 6056 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 5304 wrote to memory of 6056 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 6056 wrote to memory of 4880 6056 cmd.exe 99 PID 6056 wrote to memory of 4880 6056 cmd.exe 99 PID 4880 wrote to memory of 4860 4880 net.exe 100 PID 4880 wrote to memory of 4860 4880 net.exe 100 PID 5304 wrote to memory of 2376 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 105 PID 5304 wrote to memory of 2376 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 105 PID 2376 wrote to memory of 960 2376 cmd.exe 106 PID 2376 wrote to memory of 960 2376 cmd.exe 106 PID 960 wrote to memory of 5960 960 net.exe 107 PID 960 wrote to memory of 5960 960 net.exe 107 PID 5304 wrote to memory of 316 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 108 PID 5304 wrote to memory of 316 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 108 PID 5304 wrote to memory of 888 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 109 PID 5304 wrote to memory of 888 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 109 PID 5304 wrote to memory of 2020 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 112 PID 5304 wrote to memory of 2020 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 112 PID 5304 wrote to memory of 2312 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 113 PID 5304 wrote to memory of 2312 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 113 PID 5304 wrote to memory of 5940 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 114 PID 5304 wrote to memory of 5940 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 114 PID 5940 wrote to memory of 5180 5940 cmd.exe 115 PID 5940 wrote to memory of 5180 5940 cmd.exe 115 PID 5304 wrote to memory of 3728 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 118 PID 5304 wrote to memory of 3728 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 118 PID 3728 wrote to memory of 1952 3728 cmd.exe 119 PID 3728 wrote to memory of 1952 3728 cmd.exe 119 PID 1952 wrote to memory of 3340 1952 net.exe 120 PID 1952 wrote to memory of 3340 1952 net.exe 120 PID 5304 wrote to memory of 3020 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 121 PID 5304 wrote to memory of 3020 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 121 PID 5304 wrote to memory of 5360 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 122 PID 5304 wrote to memory of 5360 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 122 PID 5360 wrote to memory of 3572 5360 cmd.exe 123 PID 5360 wrote to memory of 3572 5360 cmd.exe 123 PID 5360 wrote to memory of 2772 5360 cmd.exe 124 PID 5360 wrote to memory of 2772 5360 cmd.exe 124 PID 5304 wrote to memory of 3404 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 126 PID 5304 wrote to memory of 3404 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 126 PID 3404 wrote to memory of 1876 3404 cmd.exe 127 PID 3404 wrote to memory of 1876 3404 cmd.exe 127 PID 5304 wrote to memory of 3408 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 5304 wrote to memory of 3408 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 3408 wrote to memory of 884 3408 cmd.exe 89 PID 3408 wrote to memory of 884 3408 cmd.exe 89 PID 5304 wrote to memory of 4552 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 92 PID 5304 wrote to memory of 4552 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 92 PID 4552 wrote to memory of 4716 4552 cmd.exe 93 PID 4552 wrote to memory of 4716 4552 cmd.exe 93 PID 5304 wrote to memory of 6056 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 5304 wrote to memory of 6056 5304 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 6056 wrote to memory of 4880 6056 cmd.exe 99 PID 6056 wrote to memory of 4880 6056 cmd.exe 99 PID 4880 wrote to memory of 4860 4880 net.exe 100 PID 4880 wrote to memory of 4860 4880 net.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"1⤵
- Drops file in Drivers directory
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1133315524-23774-4574-2170415733} /f3⤵
- Modifies registry key
PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\drivers\iqvw64e.exeC:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:6056 -
C:\Windows\system32\net.exenet stop winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y4⤵PID:4860
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\net.exenet start winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y4⤵PID:5960
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls >nul 2>&12⤵PID:316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:3340
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"2⤵
- Suspicious use of WriteProcessMemory
PID:5360 -
C:\Windows\system32\netsh.exenetsh interface show interface3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3572
-
-
C:\Windows\system32\findstr.exefindstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\system32\netsh.exenetsh interface set interface "Ethernet" disable3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1876
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
PID:4212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:3656
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD55ef5d6495806634c51c09f82a1682bdb
SHA1e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA25637c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d
-
Filesize
207KB
MD50a1dbdaa8ecfdf276d4f344f666d562b
SHA11c897f2f08afb9d46a6547b2b46468403f4c57ea
SHA25673819971a15addb0367007be32a457c43b9ea25d1b6c0f94da4ad26517430be1
SHA5123e736192c3441724718c13eb14b25f8bf38e5f98ee975f664b71b91c2a7a65a39ceff6fd29d9a6a7a7f33f58b22b622581fb1d4f21ae651fc9dde9fbef935d0b