| File name: | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom |
| Full analysis: | https://app.any.run/tasks/8cb9f6d3-483a-4223-9b3f-f065c53c176c |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2025, 02:17:08 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | E062403CC2BB29C1B528311DC7CFFD0E |
| SHA1: | 9EB70C1E13F1F612466FF8EF20E3BAE9E1932383 |
| SHA256: | E9C0ADB7671A01D5C0D5DF559526C9930CAF2AB8BBF4D1926DE738E53DA90982 |
| SSDEEP: | 98304:TjsBHzPnvEAEZGPBzJx7WQizOMAu8PHieEM1SBkyZiJYfpx7AHHWWmOOei8yRS48:kOjhHbxrWvzPuUq6ERaqT2yaRukG |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops legitimate windows executable
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
The process drops C-runtime libraries
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
Process drops python dynamic module
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
Application launched itself
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
Executable content was dropped or overwritten
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
Loads Python modules
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
Starts CMD.EXE for commands execution
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
INFO
Checks supported languages
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
Create files in a temporary directory
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
Reads the computer name
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
Reads the machine GUID from the registry
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
The sample compiled with english language support
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 2108)
Checks operating system version
- 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe (PID: 5416)
Checks proxy server information
- slui.exe (PID: 3132)
Reads the software policy settings
- slui.exe (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:05:08 22:25:16+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.32 |
| CodeSize: | 165888 |
| InitializedDataSize: | 154112 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xafa0 |
| OSVersion: | 5.2 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
128
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2108 | "C:\Users\admin\Desktop\2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe" | C:\Users\admin\Desktop\2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 3132 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3240 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5204 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5416 | "C:\Users\admin\Desktop\2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe" | C:\Users\admin\Desktop\2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | — | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
Total events
6 474
Read events
6 474
Write events
0
Delete events
0
Modification events
Executable files
94
Suspicious files
3
Text files
40
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_pkcs1_decode.pyd | executable | |
MD5:3EFFD59CD95B6706C1F2DD661AA943FC | SHA256:4C29950A9EDEDBBC24A813F8178723F049A529605EF6D35F16C7955768AACE9E | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_aes.pyd | executable | |
MD5:671100B821EB357CEB5A4C5FF86BC31A | SHA256:803E46354CDAB4AF6FF289E98DE9C56B5B08E3E9AD5F235D5A282005FA9F2D50 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_aesni.pyd | executable | |
MD5:DCD2F68680E2FB83E9FEFA18C7B4B3E0 | SHA256:D63F63985356B7D2E0E61E7968720FB72DC6B57D73BED4F337E372918078F946 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_cbc.pyd | executable | |
MD5:FE44F698198190DE574DC193A0E1B967 | SHA256:32FA416A29802EB0017A2C7360BF942EDB132D4671168DE26BD4C3E94D8DE919 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_chacha20.pyd | executable | |
MD5:ED1BBDC7CC945DA2D1F5A914987EB885 | SHA256:1EECE2F714DC1F520D0608F9F71E692F5B269930603F8AFC330118EA38F16005 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_ARC4.pyd | executable | |
MD5:D9F2264898AAAA9EF6152A1414883D0F | SHA256:836CBA3B83B00427430FE6E1C4E45790616BC85C57DBD6E6D5B6930A9745B715 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_des3.pyd | executable | |
MD5:D892F9D789C22787D846E405D0240987 | SHA256:100CD322EA2F8E3997432D6E292373F3A07F75818C7802D7386E9810BEE619B0 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_cfb.pyd | executable | |
MD5:FF64FD41B794E0EF76A9EEAE1835863C | SHA256:5D2D1A5F79B44F36AC87D9C6D886404D9BE35D1667C4B2EB8AAB59FB77BF8BAC | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_cast.pyd | executable | |
MD5:243E336DEC71A28E7F61548A2425A2E1 | SHA256:BF53063304119CF151F22809356B5B4E44799131BBAB5319736D0321F3012238 | |||
| 2108 | 2025-05-17_e062403cc2bb29c1b528311dc7cffd0e_black-basta_cobalt-strike_satacom.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\Crypto\Cipher\_raw_ecb.pyd | executable | |
MD5:F94726F6B584647142EA6D5818B0349D | SHA256:B98297FD093E8AF7FCA2628C23A9916E767540C3C6FA8894394B5B97FFEC3174 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
5
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5576 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3132 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |