Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-nmrxra1mz6
Target 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom
SHA256 744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564
Tags
defense_evasion execution impact persistence privilege_escalation ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

744bd44eb2f739b3951eda4819f1990ccf5c5cf164acccdc6996bbd5dc429564

Threat Level: Likely malicious

The file 2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution impact persistence privilege_escalation ransomware

Deletes shadow copies

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

Checks system information in the registry

Drops file in System32 directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Runs net.exe

Suspicious use of WriteProcessMemory

Modifies registry key

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: LoadsDriver

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:31

Reported

2025-05-18 11:33

Platform

win10v2004-20250502-en

Max time kernel

15s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\iqvw64ehandle.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
File created C:\Windows\System32\drivers\iqvw64e.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dUGlonclitNKiiy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dUGlonclitNKiiy" C:\Windows\System32\drivers\iqvw64e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Checks system information in the registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1744081965" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3880 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 1500 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 864 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 924 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 924 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3880 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2924 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2360 wrote to memory of 1124 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2360 wrote to memory of 1124 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3880 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2344 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3880 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4304 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4304 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4308 wrote to memory of 3040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4308 wrote to memory of 3040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3880 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5056 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5056 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 5056 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3880 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3932 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1848 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3880 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 1500 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 864 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 924 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 924 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1

C:\Windows\System32\drivers\iqvw64e.exe

C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net start winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /Y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /Y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"

C:\Windows\system32\netsh.exe

netsh interface show interface

C:\Windows\system32\findstr.exe

findstr /i "{8406D01B-A38B-42F3-85C3-AB9F75B7FF1B}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable

C:\Windows\system32\netsh.exe

netsh interface set interface "Ethernet" disable

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\System32\drivers\iqvw64e.exe

MD5 5ef5d6495806634c51c09f82a1682bdb
SHA1 e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA256 37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512 aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d

C:\Windows\system32\wbem\repository\MAPPING2.MAP

MD5 da9092ea939d85bc72a755957a056376
SHA1 0aaea50cebb8c148dc1ecfe2811807c0d0d7059b
SHA256 0fa046947a6300b6f8a443bb4f502829b05b00cb9d6d59fc6e9c666b51c6b014
SHA512 375b490effee8ecaf8fc599a7a0a09f50c5717d448f9570c2f4ef03490570f84a6dec2326fea98ea8cb907ff781a1879e726d4a519608dd33a35ab5de62c7b7a

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 11:31

Reported

2025-05-18 11:33

Platform

win11-20250502-en

Max time kernel

17s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\iqvw64ehandle.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
File created C:\Windows\System32\drivers\iqvw64e.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RdymymQERGjRSvFrs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\RdymymQERGjRSvFrs" C:\Windows\System32\drivers\iqvw64e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Checks system information in the registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (int) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "1457469083" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Not Available" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "____" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "__________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "_______" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "______________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "_____________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "_______________________________________" C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
N/A N/A C:\Windows\System32\drivers\iqvw64e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\drivers\iqvw64e.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5900 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5900 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4560 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 4560 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 5900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3160 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4468 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4468 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5900 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3980 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3304 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3304 wrote to memory of 4860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5900 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5900 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5904 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5904 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3552 wrote to memory of 3976 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3552 wrote to memory of 3976 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5900 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2880 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 5900 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5764 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5764 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5900 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5900 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 4560 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 4560 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\drivers\iqvw64e.exe
PID 5900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 5900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3160 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4468 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4468 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_01fd0cce549b50e9b0749b453cd47f37_black-basta_cobalt-strike_satacom.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f >nul 2>&1

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {1203910652-15811-24906-2142911939} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys > NUL 2>&1

C:\Windows\System32\drivers\iqvw64e.exe

C:\Windows\System32\drivers\iqvw64e.exe C:\Windows\System32\drivers\iqvw64ehandle.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul 2>&1

C:\Windows\system32\net.exe

net start winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt /y

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet > nul 2>&1

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /Y > nul 2>&1

C:\Windows\system32\net.exe

net stop winmgmt /Y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /Y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface show interface | findstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"

C:\Windows\system32\netsh.exe

netsh interface show interface

C:\Windows\system32\findstr.exe

findstr /i "{D0370B9C-5FB4-4127-9790-BBCE0A7F8328}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface set interface "Ethernet" disable

C:\Windows\system32\netsh.exe

netsh interface set interface "Ethernet" disable

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\System32\drivers\iqvw64e.exe

MD5 5ef5d6495806634c51c09f82a1682bdb
SHA1 e8a8f7b076e5b04b47d4c940898a89c33dcabb4f
SHA256 37c6043ec99a4024b184124442e40a6c4002f09ffb68e88f96c01f8c6a6b6907
SHA512 aab652bf6e83e376cc4e3d20d143633269e183ea1d975729d99e7372e5666b1caab151a116f070cbb19527b72326da52d745fa06405b7da6472ca47dd4451d8d