Analysis
-
max time kernel
17s -
max time network
128s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/05/2025, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
Resource
win11-20250502-en
General
-
Target
2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe
-
Size
1.4MB
-
MD5
01fd0cce549b50e9b0749b453cd47f37
-
SHA1
776a26733dd24d5e1d365a68a667c8dc571f8b2a
-
SHA256
744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564
-
SHA512
a90ac20f54c6f32eb84dd9b585c45aead3155c32133ea5a0e088f92eebfe98d0496b7675caa7a7b189c0702f686a3aacf0ff60f4cfb3310b5afed0f5f9b6f9d8
-
SSDEEP
24576:zcYXj1ZbRxnfYAP3Z+vGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9Wc4VU:zpjzRxfYAun
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\iqvw64ehandle.sys 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe File created C:\Windows\System32\drivers\iqvw64e.exe 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RdymymQERGjRSvFrs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\RdymymQERGjRSvFrs" iqvw64e.exe -
Executes dropped EXE 2 IoCs
pid Process 1800 iqvw64e.exe 1800 iqvw64e.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1457469083" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3124 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5040 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1800 iqvw64e.exe 1800 iqvw64e.exe 1800 iqvw64e.exe 1800 iqvw64e.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 1800 iqvw64e.exe 1800 iqvw64e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 1800 iqvw64e.exe Token: SeBackupPrivilege 2200 vssvc.exe Token: SeRestorePrivilege 2200 vssvc.exe Token: SeAuditPrivilege 2200 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 4888 svchost.exe Token: SeIncreaseQuotaPrivilege 4888 svchost.exe Token: SeSecurityPrivilege 4888 svchost.exe Token: SeTakeOwnershipPrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 4888 svchost.exe Token: SeSystemtimePrivilege 4888 svchost.exe Token: SeBackupPrivilege 4888 svchost.exe Token: SeRestorePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeSystemEnvironmentPrivilege 4888 svchost.exe Token: SeUndockPrivilege 4888 svchost.exe Token: SeManageVolumePrivilege 4888 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4888 svchost.exe Token: SeIncreaseQuotaPrivilege 4888 svchost.exe Token: SeSecurityPrivilege 4888 svchost.exe Token: SeTakeOwnershipPrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 4888 svchost.exe Token: SeSystemtimePrivilege 4888 svchost.exe Token: SeBackupPrivilege 4888 svchost.exe Token: SeRestorePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeSystemEnvironmentPrivilege 4888 svchost.exe Token: SeUndockPrivilege 4888 svchost.exe Token: SeManageVolumePrivilege 4888 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4888 svchost.exe Token: SeIncreaseQuotaPrivilege 4888 svchost.exe Token: SeSecurityPrivilege 4888 svchost.exe Token: SeTakeOwnershipPrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 4888 svchost.exe Token: SeSystemtimePrivilege 4888 svchost.exe Token: SeBackupPrivilege 4888 svchost.exe Token: SeRestorePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeSystemEnvironmentPrivilege 4888 svchost.exe Token: SeUndockPrivilege 4888 svchost.exe Token: SeManageVolumePrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 1800 iqvw64e.exe Token: SeBackupPrivilege 2200 vssvc.exe Token: SeRestorePrivilege 2200 vssvc.exe Token: SeAuditPrivilege 2200 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 4888 svchost.exe Token: SeIncreaseQuotaPrivilege 4888 svchost.exe Token: SeSecurityPrivilege 4888 svchost.exe Token: SeTakeOwnershipPrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 4888 svchost.exe Token: SeSystemtimePrivilege 4888 svchost.exe Token: SeBackupPrivilege 4888 svchost.exe Token: SeRestorePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeSystemEnvironmentPrivilege 4888 svchost.exe Token: SeUndockPrivilege 4888 svchost.exe Token: SeManageVolumePrivilege 4888 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4888 svchost.exe Token: SeIncreaseQuotaPrivilege 4888 svchost.exe Token: SeSecurityPrivilege 4888 svchost.exe Token: SeTakeOwnershipPrivilege 4888 svchost.exe Token: SeLoadDriverPrivilege 4888 svchost.exe Token: SeSystemtimePrivilege 4888 svchost.exe Token: SeBackupPrivilege 4888 svchost.exe Token: SeRestorePrivilege 4888 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5900 wrote to memory of 4936 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 84 PID 5900 wrote to memory of 4936 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 84 PID 4936 wrote to memory of 5040 4936 cmd.exe 85 PID 4936 wrote to memory of 5040 4936 cmd.exe 85 PID 5900 wrote to memory of 4560 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 86 PID 5900 wrote to memory of 4560 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 86 PID 4560 wrote to memory of 1800 4560 cmd.exe 87 PID 4560 wrote to memory of 1800 4560 cmd.exe 87 PID 5900 wrote to memory of 3160 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 5900 wrote to memory of 3160 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 3160 wrote to memory of 4468 3160 cmd.exe 89 PID 3160 wrote to memory of 4468 3160 cmd.exe 89 PID 4468 wrote to memory of 4280 4468 net.exe 90 PID 4468 wrote to memory of 4280 4468 net.exe 90 PID 5900 wrote to memory of 3980 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 91 PID 5900 wrote to memory of 3980 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 91 PID 3980 wrote to memory of 3304 3980 cmd.exe 92 PID 3980 wrote to memory of 3304 3980 cmd.exe 92 PID 3304 wrote to memory of 4860 3304 net.exe 93 PID 3304 wrote to memory of 4860 3304 net.exe 93 PID 5900 wrote to memory of 5376 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 95 PID 5900 wrote to memory of 5376 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 95 PID 5900 wrote to memory of 4648 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 96 PID 5900 wrote to memory of 4648 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 96 PID 5900 wrote to memory of 916 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 5900 wrote to memory of 916 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 97 PID 5900 wrote to memory of 5204 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 5900 wrote to memory of 5204 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 98 PID 5900 wrote to memory of 2104 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 99 PID 5900 wrote to memory of 2104 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 99 PID 2104 wrote to memory of 3124 2104 cmd.exe 100 PID 2104 wrote to memory of 3124 2104 cmd.exe 100 PID 5900 wrote to memory of 5904 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 103 PID 5900 wrote to memory of 5904 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 103 PID 5904 wrote to memory of 3552 5904 cmd.exe 104 PID 5904 wrote to memory of 3552 5904 cmd.exe 104 PID 3552 wrote to memory of 3976 3552 net.exe 105 PID 3552 wrote to memory of 3976 3552 net.exe 105 PID 5900 wrote to memory of 1336 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 106 PID 5900 wrote to memory of 1336 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 106 PID 5900 wrote to memory of 2880 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 107 PID 5900 wrote to memory of 2880 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 107 PID 2880 wrote to memory of 468 2880 cmd.exe 108 PID 2880 wrote to memory of 468 2880 cmd.exe 108 PID 2880 wrote to memory of 2456 2880 cmd.exe 109 PID 2880 wrote to memory of 2456 2880 cmd.exe 109 PID 5900 wrote to memory of 5764 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 111 PID 5900 wrote to memory of 5764 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 111 PID 5764 wrote to memory of 4636 5764 cmd.exe 112 PID 5764 wrote to memory of 4636 5764 cmd.exe 112 PID 5900 wrote to memory of 4936 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 84 PID 5900 wrote to memory of 4936 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 84 PID 4936 wrote to memory of 5040 4936 cmd.exe 85 PID 4936 wrote to memory of 5040 4936 cmd.exe 85 PID 5900 wrote to memory of 4560 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 86 PID 5900 wrote to memory of 4560 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 86 PID 4560 wrote to memory of 1800 4560 cmd.exe 87 PID 4560 wrote to memory of 1800 4560 cmd.exe 87 PID 5900 wrote to memory of 3160 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 5900 wrote to memory of 3160 5900 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe 88 PID 3160 wrote to memory of 4468 3160 cmd.exe 89 PID 3160 wrote to memory of 4468 3160 cmd.exe 89 PID 4468 wrote to memory of 4280 4468 net.exe 90 PID 4468 wrote to memory of 4280 4468 net.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"1⤵
- Drops file in Drivers directory
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f3⤵
- Modifies registry key
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\System32\drivers\iqvw64e.exeC:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\net.exenet stop winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y4⤵PID:4280
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\net.exenet start winmgmt /y3⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y4⤵PID:4860
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls >nul 2>&12⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5904 -
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:3976
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\netsh.exenetsh interface show interface3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:468
-
-
C:\Windows\system32\findstr.exefindstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable2⤵
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\Windows\system32\netsh.exenetsh interface set interface "Ethernet" disable3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:4828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:5400
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD55ef5d6495806634c51c09f82a1682bdb
SHA1e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA25637c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d