Analysis

  • max time kernel
    15s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:27

General

  • Target

    2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

  • Size

    1.4MB

  • MD5

    01fd0cce549b50e9b0749b453cd47f37

  • SHA1

    776a26733dd24d5e1d365a68a667c8dc571f8b2a

  • SHA256

    744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564

  • SHA512

    a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8

  • SSDEEP

    24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 14 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks system information in the registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:5304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Windows\system32\reg.exe
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1133315524-23774-4574-2170415733} /f
        3⤵
        • Modifies registry key
        PID:884
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\System32\drivers\iqvw64e.exe
        C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:4716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:6056
      • C:\Windows\system32\net.exe
        net stop winmgmt /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop winmgmt /y
          4⤵
            PID:4860
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\system32\net.exe
          net start winmgmt /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 start winmgmt /y
            4⤵
              PID:5960
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls >nul 2>&1
          2⤵
            PID:316
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:888
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2020
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:2312
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5940
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /All /Quiet
                    3⤵
                    • Interacts with shadow copies
                    PID:5180
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3728
                  • C:\Windows\system32\net.exe
                    net stop winmgmt /Y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1952
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop winmgmt /Y
                      4⤵
                        PID:3340
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:3020
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5360
                      • C:\Windows\system32\netsh.exe
                        netsh interface show interface
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:3572
                      • C:\Windows\system32\findstr.exe
                        findstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"
                        3⤵
                          PID:2772
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3404
                        • C:\Windows\system32\netsh.exe
                          netsh interface set interface "Ethernet" disable
                          3⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:1876
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                      1⤵
                      • Drops file in System32 directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1668
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:4028
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                        1⤵
                        • Drops file in System32 directory
                        PID:4212
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                        1⤵
                          PID:3656

                        Network

                              MITRE ATT&CK Enterprise v16

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\System32\drivers\iqvw64e.exe

                                Filesize

                                142KB

                                MD5

                                5ef5d6495806634c51c09f82a1682bdb

                                SHA1

                                e8a8f7b076e5b04b47d4c940898a89c33dcabb4f

                                SHA256

                                37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907

                                SHA512

                                aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d

                              • C:\Windows\system32\wbem\repository\MAPPING1.MAP

                                Filesize

                                207KB

                                MD5

                                0a1dbdaa8ecfdf276d4f344f666d562b

                                SHA1

                                1c897f2f08afb9d46a6547b2b46468403f4c57ea

                                SHA256

                                73819971a15addb0367007be32a457c43b9ea25d1b6c0f94da4ad26517430be1

                                SHA512

                                3e736192c3441724718c13eb14b25f8bf38e5f98ee975f664b71b91c2a7a65a39ceff6fd29d9a6a7a7f33f58b22b622581fb1d4f21ae651fc9dde9fbef935d0b