Analysis
-
max time kernel
102s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe
Resource
win10v2004-20250610-en
5 signatures
150 seconds
General
-
Target
2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe
-
Size
384KB
-
MD5
d1f08270aef15c56817668da818cdb52
-
SHA1
35995b070834a9a5c7217309c0a86aa6c91f9458
-
SHA256
a8caf1a05ad226b96cf839917deb690e604b15cc7fa1bdac18753677b10f7156
-
SHA512
de15a43b0c408b8a1d6b05e78db361c12adce470d986c1d16df68a862211f3c95d2e6fba7f05eb1ff5ab8af3bdcc7fc5ca3ff2d439c42461fb11bd46ffdaeb6c
-
SSDEEP
6144:gUORK1ttbV3kSobTYZGiNdninoh+uiSdK4b/OHIm/I3A/D6zgLP+b:gytbV3kSoXaLnOosJR5/IQ/DB4
Score
3/10
Malware Config
Signatures
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 752 PING.EXE 3864 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 752 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5752 2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe 5752 2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5752 2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5752 wrote to memory of 3864 5752 2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe 85 PID 5752 wrote to memory of 3864 5752 2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe 85 PID 3864 wrote to memory of 752 3864 cmd.exe 87 PID 3864 wrote to memory of 752 3864 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5752 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1f08270aef15c56817668da818cdb52_black-basta_cobalt-strike_satacom_vidar.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-