Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/05/2025, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe
-
Size
350KB
-
MD5
25463f79e21e27138373421cd7bdea42
-
SHA1
67aee5b6f576554cd0de5aeb6ae178255e8c9c38
-
SHA256
b67483bf0d1b04a7b19efec84bc693478528ac31680910accf5416b2202e1934
-
SHA512
a6e35e0ac9da94fbb32521f3e674990155bb443688fc0ddaea3ed0d5bf30521b8e5b239bafa13fe4807c988d46fce84d687385e6d5f90220c6c792d5ce962361
-
SSDEEP
6144:WRbJxH5LREs71nFuv8kyFJCEU/FGquohkg91DK:sxLKu1UaFJCEF9oJe
Malware Config
Extracted
phorphiex
http://185.156.72.39/
http://45.141.233.6/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
l9n7b5f2r
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.156.72.39
Signatures
-
Phorphiex family
-
Phorphiex payload 1 IoCs
resource yara_rule behavioral2/files/0x001400000002b1f9-10.dat family_phorphiex -
Downloads MZ/PE file 2 IoCs
flow pid Process 3 4944 4C5B.exe 1 5804 2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe -
Executes dropped EXE 5 IoCs
pid Process 4944 4C5B.exe 5036 519029359.exe 5084 syscrondvr.exe 4192 syscrondvr.exe 1600 1897733381.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syscrondvr.exe" 519029359.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\syscrondvr.exe 519029359.exe File created C:\Windows\syscrondvr.exe 519029359.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C5B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 519029359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syscrondvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1897733381.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5804 wrote to memory of 4944 5804 2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe 82 PID 5804 wrote to memory of 4944 5804 2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe 82 PID 5804 wrote to memory of 4944 5804 2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe 82 PID 4944 wrote to memory of 5036 4944 4C5B.exe 84 PID 4944 wrote to memory of 5036 4944 4C5B.exe 84 PID 4944 wrote to memory of 5036 4944 4C5B.exe 84 PID 5036 wrote to memory of 5084 5036 519029359.exe 86 PID 5036 wrote to memory of 5084 5036 519029359.exe 86 PID 5036 wrote to memory of 5084 5036 519029359.exe 86 PID 5072 wrote to memory of 4192 5072 cmd.exe 88 PID 5072 wrote to memory of 4192 5072 cmd.exe 88 PID 5072 wrote to memory of 4192 5072 cmd.exe 88 PID 5084 wrote to memory of 1600 5084 syscrondvr.exe 89 PID 5084 wrote to memory of 1600 5084 syscrondvr.exe 89 PID 5084 wrote to memory of 1600 5084 syscrondvr.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_25463f79e21e27138373421cd7bdea42_black-basta_cobalt-strike_hijackloader_satacom.exe"1⤵
- Downloads MZ/PE file
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\4C5B.exe"C:\Users\Admin\AppData\Local\Temp\4C5B.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\519029359.exeC:\Users\Admin\AppData\Local\Temp\519029359.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\1897733381.exeC:\Users\Admin\AppData\Local\Temp\1897733381.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\syscrondvr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe2⤵
- Executes dropped EXE
PID:4192
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5c08cfa523c9377d3ae24fdb373b3ae13
SHA15289219770ad28b0fa4f0bdd91817f76bd6be222
SHA256326c70a965d4e642275c26cd913e268b1db89edd59b31a86ee600a7a9c664eb0
SHA512c91acd580ac832d5fed363a9a2b98b724a255d82e4fdda6eca62133feb5e60dd79a8caca36597a52bfbfa907a44208c48b15142e2e6020db219d14e970c3f57c
-
Filesize
10KB
MD50ec46393976eb51f307cc11d80bae845
SHA169d4cb168f3a1b97c37a0ba1519d0adb1ff7e245
SHA256252171bdaa35d19f872c165e861b03d347a4afb85d7a03d02f8eae09d191038d
SHA512803351760e3c422e4825103235e13085004b3418b483a2c646aafaef62b7212a1ba4ed28469134a236c5b6121e6a748ba958bbae2dbe4afe9f9f45704928d31f
-
Filesize
80KB
MD5f30fdbf3448f67cbc3566f31729cb7a6
SHA1fbf005c38f4a1c2e86817a2cb70406fc241f2c90
SHA25681783b558904becc5b86553faba9525070de5f43339766eb1c025bcfbfe1eef8
SHA512b428df2c8f8b4a002c8d7e1bfd9926e5cf95ee998688a2c360b8551e80be5bfbfa17ef210bea35f247da4a5c8a940fb5dba49f4786da9a74e5d001b771c8e9a8