| File name: | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom |
| Full analysis: | https://app.any.run/tasks/7e65060e-3655-4c08-a066-a0088ca5bf5d |
| Verdict: | Malicious activity |
| Analysis date: | May 18, 2025, 22:29:09 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 57F22956354CD8FD62AA0F7C06D5B085 |
| SHA1: | 8E9A753EB3BB14747152BB3526358934DD552178 |
| SHA256: | 721041A2C612EE5F758802265C8A93D1F6531BADC6748784D5F2643062F52E74 |
| SSDEEP: | 98304:VCYzBcEM56m/nzLZhfFa8NBNqV/edR2et4tGDX3K8aOroisuDg2+acSU5jqV5Hno:mHBqIpiv22a76 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops legitimate windows executable
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
Process drops python dynamic module
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
Executable content was dropped or overwritten
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
The process drops C-runtime libraries
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
Application launched itself
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
Loads Python modules
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
Reads security settings of Internet Explorer
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
Executes application which crashes
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
INFO
Checks supported languages
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
Reads the computer name
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
Create files in a temporary directory
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
The sample compiled with english language support
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 3900)
Checks proxy server information
- 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe (PID: 1660)
- slui.exe (PID: 4008)
Creates files or folders in the user directory
- WerFault.exe (PID: 496)
Reads the software policy settings
- slui.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:05:18 05:19:05+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 173568 |
| InitializedDataSize: | 155648 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xce30 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 496 | C:\WINDOWS\system32\WerFault.exe -u -p 1660 -s 1212 | C:\Windows\System32\WerFault.exe | — | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | "C:\Users\admin\Desktop\2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe" | C:\Users\admin\Desktop\2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 3900 | "C:\Users\admin\Desktop\2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe" | C:\Users\admin\Desktop\2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 4008 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 461
Read events
5 461
Write events
0
Delete events
0
Modification events
Executable files
95
Suspicious files
4
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_pkcs1_decode.pyd | executable | |
MD5:8F5AF0BA701B493041777FC34185B7B7 | SHA256:4BE10912BFC5F2372CC030CC9EA94E83048683481FBD7F26BA7F95641AC9E9B4 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_blowfish.pyd | executable | |
MD5:C7F70FBFB429D18144BCEAFF5FCC268B | SHA256:C883025EA591713C9C8CFA9DA76C528F7A75BDD0853B877A55C4C639DBAA595F | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_chacha20.pyd | executable | |
MD5:0114E07B71F554D9696789BA4100062F | SHA256:ECB6C3CCB37BEE0A8B2A5C31C15ACA500C6AEEDDE825A749479660F65CCED39D | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_ARC4.pyd | executable | |
MD5:657643049554B6FF747D7FE645E4CCC7 | SHA256:0EC5270929B9A8E347BE684E2699D2C72A965B3304045475BBC06F3965CBC6B5 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_des.pyd | executable | |
MD5:36836C859F54C2D6D6E7210E691B90D3 | SHA256:042DD37D6E721953EA7F4C9A2174DE9C57F6E9581636227724AC64B9318BA108 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_eksblowfish.pyd | executable | |
MD5:3C9C5849066972AB584CC66CFC442E18 | SHA256:89092D82612BDFA7145E848EA326A579E6698A00866A077A3A24E846DAA76A73 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_cast.pyd | executable | |
MD5:65FCF0C7D282BC4755BAFCDA6710F257 | SHA256:34627A78E8EDA0B6C517725839A0D34D4DB4D1D3602549F870330332B165A465 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_cbc.pyd | executable | |
MD5:EB16374178BC01AA8D747320F4F87B29 | SHA256:566FBD9C43DA57ABAAF3112C04D25DD42C46A0476FFA0E8F5845B2A63E3EFF99 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_ecb.pyd | executable | |
MD5:360B2E66F14161CBAB45387EBDD3A6E3 | SHA256:AB68361BCA3F5D49B6CDFC838D0B5E1B2B2BF161859EAEDD1F92CDA18EA0DF32 | |||
| 3900 | 2025-05-18_57f22956354cd8fd62aa0f7c06d5b085_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI39002\Crypto\Cipher\_raw_des3.pyd | executable | |
MD5:A03344A790C603C5D15820FB434E3ED9 | SHA256:3554BF2DC1556F81F19D51B54A2B634BFAEA8B610B131E9FFC36D07D10315CFA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
19
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.11:49750 | — | — | — | unknown |
2568 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4008 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |