Analysis Overview
SHA256
7f54ae1177e630d021a39d99f9d0f85fbc20c0ca0ded98025da24a57fde6e009
Threat Level: Shows suspicious behavior
The file 2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-07-02 18:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 18:53
Reported
2025-07-02 18:56
Platform
win10v2004-20250619-en
Max time kernel
101s
Max time network
137s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/1220-0-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1220-1-0x0000000000180000-0x00000000001E0000-memory.dmp
memory/1220-9-0x0000000000180000-0x00000000001E0000-memory.dmp
memory/1220-13-0x0000000000180000-0x00000000001E0000-memory.dmp
memory/1220-14-0x0000000140000000-0x000000014010C000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 9b8fc6843da7722f5bc646543e1a22cd |
| SHA1 | 2bae4882c043a4d14ce15f7171ab93748780d71e |
| SHA256 | 9cedcab805bb8a8291076ad7c81732f445b52313b68b892dc0a15b7f301b1b06 |
| SHA512 | 782ca1366c0ef0253ea6c06ac1a1db74674841371967b2beaa51a423374734e739922640f77dcbbcd7379a88c3115e9ce575b520e12708ae4c780148178e80c7 |
memory/4972-16-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/4972-17-0x0000000140000000-0x00000001400AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 18:53
Reported
2025-07-02 18:56
Platform
win11-20250610-en
Max time kernel
39s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e6f4a9a6109a801eb01bfebc1edfe6e9_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
Network
Files
memory/1456-0-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1456-1-0x0000000000530000-0x0000000000590000-memory.dmp
memory/1456-9-0x0000000000530000-0x0000000000590000-memory.dmp
memory/1456-12-0x0000000000530000-0x0000000000590000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | b5a6c01a6861f3d8bc567c121ff90e84 |
| SHA1 | 1d59eb4798e52c211df3f68a26b7acf481b24556 |
| SHA256 | 4df615bb0218e9b2b41a61608287c9706cc50f6247868e0d147879485bdf069f |
| SHA512 | 0ea00cba81185e8b427fd3edff5df82ae1e9c2410d789585e6e06cabb04fcb9eafcb5267f4decb7f237a92ef28b1958acd10db8d3b2ce66f3394116faaccd776 |
memory/3876-16-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/1456-14-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3876-17-0x0000000140000000-0x00000001400AA000-memory.dmp