Analysis
-
max time kernel
15s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
Resource
win11-20250502-en
General
-
Target
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
-
Size
1.4MB
-
MD5
01fd0cce549b50e9b0749b453cd47f37
-
SHA1
776a26733dd24d5e1d365a68a667c8dc571f8b2a
-
SHA256
744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564
-
SHA512
a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8
-
SSDEEP
24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\iqvw64ehandle.sys 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe File created C:\Windows\System32\drivers\iqvw64e.exe 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dUGlonclitNKiiy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dUGlonclitNKiiy" iqvw64e.exe -
Executes dropped EXE 2 IoCs
pid Process 3352 iqvw64e.exe 3352 iqvw64e.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1744081965" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4512 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3084 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3352 iqvw64e.exe 3352 iqvw64e.exe 3352 iqvw64e.exe 3352 iqvw64e.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 3352 iqvw64e.exe 3352 iqvw64e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 3352 iqvw64e.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe Token: SeBackupPrivilege 3796 svchost.exe Token: SeRestorePrivilege 3796 svchost.exe Token: SeShutdownPrivilege 3796 svchost.exe Token: SeSystemEnvironmentPrivilege 3796 svchost.exe Token: SeManageVolumePrivilege 3796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe Token: SeSystemtimePrivilege 3796 svchost.exe Token: SeBackupPrivilege 3796 svchost.exe Token: SeRestorePrivilege 3796 svchost.exe Token: SeShutdownPrivilege 3796 svchost.exe Token: SeSystemEnvironmentPrivilege 3796 svchost.exe Token: SeUndockPrivilege 3796 svchost.exe Token: SeManageVolumePrivilege 3796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe Token: SeSystemtimePrivilege 3796 svchost.exe Token: SeBackupPrivilege 3796 svchost.exe Token: SeRestorePrivilege 3796 svchost.exe Token: SeShutdownPrivilege 3796 svchost.exe Token: SeSystemEnvironmentPrivilege 3796 svchost.exe Token: SeUndockPrivilege 3796 svchost.exe Token: SeManageVolumePrivilege 3796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe Token: SeSystemtimePrivilege 3796 svchost.exe Token: SeBackupPrivilege 3796 svchost.exe Token: SeRestorePrivilege 3796 svchost.exe Token: SeShutdownPrivilege 3796 svchost.exe Token: SeSystemEnvironmentPrivilege 3796 svchost.exe Token: SeUndockPrivilege 3796 svchost.exe Token: SeManageVolumePrivilege 3796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe Token: SeSystemtimePrivilege 3796 svchost.exe Token: SeBackupPrivilege 3796 svchost.exe Token: SeRestorePrivilege 3796 svchost.exe Token: SeShutdownPrivilege 3796 svchost.exe Token: SeSystemEnvironmentPrivilege 3796 svchost.exe Token: SeUndockPrivilege 3796 svchost.exe Token: SeManageVolumePrivilege 3796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3796 svchost.exe Token: SeIncreaseQuotaPrivilege 3796 svchost.exe Token: SeSecurityPrivilege 3796 svchost.exe Token: SeTakeOwnershipPrivilege 3796 svchost.exe Token: SeLoadDriverPrivilege 3796 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3880 wrote to memory of 1848 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 90 PID 3880 wrote to memory of 1848 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 90 PID 1848 wrote to memory of 3084 1848 cmd.exe 91 PID 1848 wrote to memory of 3084 1848 cmd.exe 91 PID 3880 wrote to memory of 1500 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 94 PID 3880 wrote to memory of 1500 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 94 PID 1500 wrote to memory of 3352 1500 cmd.exe 95 PID 1500 wrote to memory of 3352 1500 cmd.exe 95 PID 3880 wrote to memory of 864 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 3880 wrote to memory of 864 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 864 wrote to memory of 924 864 cmd.exe 98 PID 864 wrote to memory of 924 864 cmd.exe 98 PID 924 wrote to memory of 1156 924 net.exe 99 PID 924 wrote to memory of 1156 924 net.exe 99 PID 3880 wrote to memory of 2924 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 106 PID 3880 wrote to memory of 2924 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 106 PID 2924 wrote to memory of 2360 2924 cmd.exe 107 PID 2924 wrote to memory of 2360 2924 cmd.exe 107 PID 2360 wrote to memory of 1124 2360 net.exe 108 PID 2360 wrote to memory of 1124 2360 net.exe 108 PID 3880 wrote to memory of 3988 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 109 PID 3880 wrote to memory of 3988 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 109 PID 3880 wrote to memory of 2628 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 110 PID 3880 wrote to memory of 2628 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 110 PID 3880 wrote to memory of 3728 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 111 PID 3880 wrote to memory of 3728 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 111 PID 3880 wrote to memory of 2964 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 114 PID 3880 wrote to memory of 2964 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 114 PID 3880 wrote to memory of 2344 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 115 PID 3880 wrote to memory of 2344 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 115 PID 2344 wrote to memory of 4512 2344 cmd.exe 116 PID 2344 wrote to memory of 4512 2344 cmd.exe 116 PID 3880 wrote to memory of 4304 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 119 PID 3880 wrote to memory of 4304 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 119 PID 4304 wrote to memory of 4308 4304 cmd.exe 120 PID 4304 wrote to memory of 4308 4304 cmd.exe 120 PID 4308 wrote to memory of 3040 4308 net.exe 121 PID 4308 wrote to memory of 3040 4308 net.exe 121 PID 3880 wrote to memory of 4192 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 122 PID 3880 wrote to memory of 4192 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 122 PID 3880 wrote to memory of 5056 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 123 PID 3880 wrote to memory of 5056 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 123 PID 5056 wrote to memory of 4984 5056 cmd.exe 124 PID 5056 wrote to memory of 4984 5056 cmd.exe 124 PID 5056 wrote to memory of 1636 5056 cmd.exe 125 PID 5056 wrote to memory of 1636 5056 cmd.exe 125 PID 3880 wrote to memory of 3932 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 127 PID 3880 wrote to memory of 3932 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 127 PID 3932 wrote to memory of 3904 3932 cmd.exe 128 PID 3932 wrote to memory of 3904 3932 cmd.exe 128 PID 3880 wrote to memory of 1848 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 90 PID 3880 wrote to memory of 1848 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 90 PID 1848 wrote to memory of 3084 1848 cmd.exe 91 PID 1848 wrote to memory of 3084 1848 cmd.exe 91 PID 3880 wrote to memory of 1500 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 94 PID 3880 wrote to memory of 1500 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 94 PID 1500 wrote to memory of 3352 1500 cmd.exe 95 PID 1500 wrote to memory of 3352 1500 cmd.exe 95 PID 3880 wrote to memory of 864 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 3880 wrote to memory of 864 3880 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 864 wrote to memory of 924 864 cmd.exe 98 PID 864 wrote to memory of 924 864 cmd.exe 98 PID 924 wrote to memory of 1156 924 net.exe 99 PID 924 wrote to memory of 1156 924 net.exe 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"1⤵
- Drops file in Drivers directory
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f3⤵
- Modifies registry key
PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\drivers\iqvw64e.exeC:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\net.exenet stop winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y4⤵PID:1156
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\net.exenet start winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y4⤵PID:1124
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls >nul 2>&12⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:3040
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\netsh.exenetsh interface show interface3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4984
-
-
C:\Windows\system32\findstr.exefindstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable2⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\netsh.exenetsh interface set interface "Ethernet" disable3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3904
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
PID:4784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2416
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD55ef5d6495806634c51c09f82a1682bdb
SHA1e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA25637c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d
-
Filesize
207KB
MD5da9092ea939d85bc72a755957a056376
SHA10aaea50cebb8c148dc1ecfe2811807c0d0d7059b
SHA2560fa046947a6300b6f8a443bb4f502829b05b00cb9d6d59fc6e9c666b51c6b014
SHA512375b490effee8ecaf8fc599a7a0a09f50c5717d448f9570c2f4ef03490570f84a6dec2326fea98ea8cb907ff781a1879e726d4a519608dd33a35ab5de62c7b7a