Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-nkp1dacm8z
Target 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom
SHA256 744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564
Tags
defense_evasion execution impact persistence privilege_escalation ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564

Threat Level: Likely malicious

The file 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution impact persistence privilege_escalation ransomware

Deletes shadow copies

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

Drops file in System32 directory

Checks system information in the registry

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Modifies registry key

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:27

Reported

2025-05-18 11:30

Platform

win10v2004-20250502-en

Max time kernel

15s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\iqvw64ehandle.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
File created C:\Windows\System32\drivers\iqvw64e.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EpRywFQVzPSZn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EpRywFQVzPSZn" C:\Windows\System32\drivers\iqvw64e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Checks system information in the registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1626346319" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5304 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3408 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3408 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5304 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 4552 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 5304 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 6056 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 6056 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4880 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4880 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5304 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2376 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 960 wrote to memory of 5960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 960 wrote to memory of 5960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5940 wrote to memory of 5180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5940 wrote to memory of 5180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5304 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3728 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3728 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1952 wrote to memory of 3340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1952 wrote to memory of 3340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5304 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5360 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5360 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5360 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 5360 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 5304 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3404 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5304 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3408 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3408 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5304 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 4552 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 5304 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5304 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 6056 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 6056 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4880 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4880 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1133315524-23774-4574-2170415733} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1

C:\Windows\System32\drivers\iqvw64e.exe

C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net start winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /Y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /Y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"

C:\Windows\system32\netsh.exe

netsh interface show interface

C:\Windows\system32\findstr.exe

findstr /i "{618D7D7F-426A-4F1F-BF3B-3318F76656DB}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable

C:\Windows\system32\netsh.exe

netsh interface set interface "Ethernet" disable

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\System32\drivers\iqvw64e.exe

MD5 5ef5d6495806634c51c09f82a1682bdb
SHA1 e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA256 37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512 aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d

C:\Windows\system32\wbem\repository\MAPPING1.MAP

MD5 0a1dbdaa8ecfdf276d4f344f666d562b
SHA1 1c897f2f08afb9d46a6547b2b46468403f4c57ea
SHA256 73819971a15addb0367007be32a457c43b9ea25d1b6c0f94da4ad26517430be1
SHA512 3e736192c3441724718c13eb14b25f8bf38e5f98ee975f664b71b91c2a7a65a39ceff6fd29d9a6a7a7f33f58b22b622581fb1d4f21ae651fc9dde9fbef935d0b