Analysis

  • max time kernel
    17s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/05/2025, 11:31

General

  • Target

    2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

  • Size

    1.4MB

  • MD5

    01fd0cce549b50e9b0749b453cd47f37

  • SHA1

    776a26733dd24d5e1d365a68a667c8dc571f8b2a

  • SHA256

    744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564

  • SHA512

    a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8

  • SSDEEP

    24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 7 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks system information in the registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:5900
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\system32\reg.exe
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f
        3⤵
        • Modifies registry key
        PID:5040
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\System32\drivers\iqvw64e.exe
        C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\system32\net.exe
        net stop winmgmt /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop winmgmt /y
          4⤵
            PID:4280
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\system32\net.exe
          net start winmgmt /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 start winmgmt /y
            4⤵
              PID:4860
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls >nul 2>&1
          2⤵
            PID:5376
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:4648
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:916
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:5204
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2104
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /All /Quiet
                    3⤵
                    • Interacts with shadow copies
                    PID:3124
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5904
                  • C:\Windows\system32\net.exe
                    net stop winmgmt /Y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3552
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop winmgmt /Y
                      4⤵
                        PID:3976
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:1336
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2880
                      • C:\Windows\system32\netsh.exe
                        netsh interface show interface
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:468
                      • C:\Windows\system32\findstr.exe
                        findstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"
                        3⤵
                          PID:2456
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5764
                        • C:\Windows\system32\netsh.exe
                          netsh interface set interface "Ethernet" disable
                          3⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:4636
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                      1⤵
                        PID:4828
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2200
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                        1⤵
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4888
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                        1⤵
                          PID:5400

                        Network

                              MITRE ATT&CK Enterprise v16

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\System32\drivers\iqvw64e.exe

                                Filesize

                                142KB

                                MD5

                                5ef5d6495806634c51c09f82a1682bdb

                                SHA1

                                e8a8f7b076e5b04b47d4c940898a89c33dcabb4f

                                SHA256

                                37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907

                                SHA512

                                aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d