File name:

2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/b35fa0bd-10b5-4044-98e5-ff993932fc93
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:36:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

D38F0248E69E5FBB16A784CDFE13B28A

SHA1:

CDF188DFFA6DDAF99741FF334DF3AB017F0FA2F5

SHA256:

124CD0E24109E4086CEEA2A2D2747073EAB31830FA7015290494684FD0C203D4

SSDEEP:

98304:R1T2Q6m+7y1jwCvu/f2Q127q1GNft2/5rTyfiElhiWWLmfJZIwq0MdghhcCmaiuX:8vkcsit7tQ7I3iCUU93QgBOGHvq26x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Process drops python dynamic module

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Process drops legitimate windows executable

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Application launched itself

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Loads Python modules

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • The process drops C-runtime libraries

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 5680)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 4408)
      • cmd.exe (PID: 2616)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 1180)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6540)

    • The process checks if it is being run in the virtual environment

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Reads security settings of Internet Explorer

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7052)

    • Connects to unusual port

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Executes application which crashes

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 720)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Checks supported languages

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)
      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Reads the computer name

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)
      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)

    • Create files in a temporary directory

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 6712)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2108)
      • WMIC.exe (PID: 6148)
      • WMIC.exe (PID: 3100)
      • WMIC.exe (PID: 1272)

    • Checks proxy server information

      • 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe (PID: 2152)
      • slui.exe (PID: 1012)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2108)

    • Reads the software policy settings

      • slui.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:15 09:50:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xe8e28
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
26
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe 2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs find.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
720C:\WINDOWS\system32\cmd.exe /c "sc query"C:\Windows\System32\cmd.exe2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
900find /c /v ""C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1180C:\WINDOWS\system32\cmd.exe /c "wmic nic get name"C:\Windows\System32\cmd.exe2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1272wmic diskdrive get caption C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108wmic cpu get captionC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2108reg query HKLM\SOFTWARE\VMware, Inc.\VMware ToolsC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2108C:\WINDOWS\system32\WerFault.exe -u -p 2152 -s 1248C:\Windows\System32\WerFault.exe2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
2152"C:\Users\admin\Desktop\2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
6 527
Read events
6 527
Write events
0
Delete events
0

Modification events

No data
Executable files
109
Suspicious files
3
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_eksblowfish.pydexecutable
MD5:3727271FE04ECB6D5E49E936095E95BC
SHA256:3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_Salsa20.pydexecutable
MD5:F19CB847E567A31FAB97435536C7B783
SHA256:1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:899895C0ED6830C4C9A3328CC7DF95B6
SHA256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_chacha20.pydexecutable
MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:B6EA675C3A35CD6400A7ECF2FB9530D1
SHA256:76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_des3.pydexecutable
MD5:DECF524B2D53FCD7D4FA726F00B3E5FC
SHA256:58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:78AEF441C9152A17DD4DC40C7CC9DF69
SHA256:56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_cbc.pydexecutable
MD5:40390F2113DC2A9D6CFAE7127F6BA329
SHA256:6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
67122025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI67122\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:B127CAE435AEB8A2A37D2A1BC1C27282
SHA256:538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
GET
47.109.177.97:1111
http://47.109.177.97:1111/fNTU
unknown
unknown
1272
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2152
2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom.exe
47.109.177.97:1111
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1272
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1272
SIHClient.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1272
SIHClient.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.129
  • 20.190.159.130
  • 40.126.31.3
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.0
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_d38f0248e69e5fbb16a784cdfe13b28a_black-basta_cobalt-strike_satacom