Analysis

  • max time kernel
    15s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:31

General

  • Target

    2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

  • Size

    1.4MB

  • MD5

    01fd0cce549b50e9b0749b453cd47f37

  • SHA1

    776a26733dd24d5e1d365a68a667c8dc571f8b2a

  • SHA256

    744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564

  • SHA512

    a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8

  • SSDEEP

    24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 14 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks system information in the registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\system32\reg.exe
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f
        3⤵
        • Modifies registry key
        PID:3084
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\System32\drivers\iqvw64e.exe
        C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:3352
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\system32\net.exe
        net stop winmgmt /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop winmgmt /y
          4⤵
            PID:1156
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\system32\net.exe
          net start winmgmt /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 start winmgmt /y
            4⤵
              PID:1124
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls >nul 2>&1
          2⤵
            PID:3988
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:2628
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:3728
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:2964
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2344
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /All /Quiet
                    3⤵
                    • Interacts with shadow copies
                    PID:4512
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4304
                  • C:\Windows\system32\net.exe
                    net stop winmgmt /Y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4308
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop winmgmt /Y
                      4⤵
                        PID:3040
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:4192
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5056
                      • C:\Windows\system32\netsh.exe
                        netsh interface show interface
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:4984
                      • C:\Windows\system32\findstr.exe
                        findstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"
                        3⤵
                          PID:1636
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3932
                        • C:\Windows\system32\netsh.exe
                          netsh interface set interface "Ethernet" disable
                          3⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:3904
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                      1⤵
                      • Drops file in System32 directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3796
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:1188
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                        1⤵
                        • Drops file in System32 directory
                        PID:4784
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                        1⤵
                          PID:2416

                        Network

                              MITRE ATT&CK Enterprise v16

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\System32\drivers\iqvw64e.exe

                                Filesize

                                142KB

                                MD5

                                5ef5d6495806634c51c09f82a1682bdb

                                SHA1

                                e8a8f7b076e5b04b47d4c940898a89c33dcabb4f

                                SHA256

                                37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907

                                SHA512

                                aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d

                              • C:\Windows\system32\wbem\repository\MAPPING2.MAP

                                Filesize

                                207KB

                                MD5

                                da9092ea939d85bc72a755957a056376

                                SHA1

                                0aaea50cebb8c148dc1ecfe2811807c0d0d7059b

                                SHA256

                                0fa046947a6300b6f8a443bb4f502829b05b00cb9d6d59fc6e9c666b51c6b014

                                SHA512

                                375b490effee8ecaf8fc599a7a0a09f50c5717d448f9570c2f4ef03490570f84a6dec2326fea98ea8cb907ff781a1879e726d4a519608dd33a35ab5de62c7b7a