Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
796KB
-
MD5
a6706faee9b596ab1003002d11892d3a
-
SHA1
c9e225ff5c85726cae2d6c18c8146b364dd09418
-
SHA256
82b33a1aca5648e9b5ce944920cf3be5f5f9dac2c913d68a66d6d55240fc0606
-
SHA512
f5963bf379932b99278e08bbada9346951caba78fa2dfcf3214c09dfa1857520b8fd599ae063fe4e3a6ba1c9615013b377b398ac416462ae938cbd807f33247c
-
SSDEEP
12288:zENN+T5xYrllrU7QY6gubXcwafJcLln5QwnVWqqPIBONhxsU/E3:Z5xolYQY6gurP90r/xsU/E3
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x0008000000024125-59.dat family_mofksys behavioral1/files/0x000800000002412a-66.dat family_mofksys behavioral1/files/0x000800000002412c-75.dat family_mofksys behavioral1/files/0x000800000002412e-83.dat family_mofksys behavioral1/files/0x000900000002412d-94.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 4992 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 2572 icsys.icn.exe 2988 explorer.exe 3692 spoolsv.exe 1900 svchost.exe 4064 spoolsv.exe 384 explorer.exe 4484 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2572 icsys.icn.exe 2572 icsys.icn.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe 1900 svchost.exe 1900 svchost.exe 2988 explorer.exe 2988 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2988 explorer.exe 1900 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2988 explorer.exe 2988 explorer.exe 3692 spoolsv.exe 3692 spoolsv.exe 1900 svchost.exe 1900 svchost.exe 4064 spoolsv.exe 4064 spoolsv.exe 2988 explorer.exe 2988 explorer.exe 384 explorer.exe 4484 svchost.exe 384 explorer.exe 4484 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3168 wrote to memory of 4992 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 3168 wrote to memory of 4992 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 3168 wrote to memory of 4992 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 3168 wrote to memory of 2572 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 3168 wrote to memory of 2572 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 3168 wrote to memory of 2572 3168 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 2572 wrote to memory of 2988 2572 icsys.icn.exe 88 PID 2572 wrote to memory of 2988 2572 icsys.icn.exe 88 PID 2572 wrote to memory of 2988 2572 icsys.icn.exe 88 PID 2988 wrote to memory of 3692 2988 explorer.exe 89 PID 2988 wrote to memory of 3692 2988 explorer.exe 89 PID 2988 wrote to memory of 3692 2988 explorer.exe 89 PID 3692 wrote to memory of 1900 3692 spoolsv.exe 90 PID 3692 wrote to memory of 1900 3692 spoolsv.exe 90 PID 3692 wrote to memory of 1900 3692 spoolsv.exe 90 PID 1900 wrote to memory of 4064 1900 svchost.exe 91 PID 1900 wrote to memory of 4064 1900 svchost.exe 91 PID 1900 wrote to memory of 4064 1900 svchost.exe 91 PID 1900 wrote to memory of 4864 1900 svchost.exe 97 PID 1900 wrote to memory of 4864 1900 svchost.exe 97 PID 1900 wrote to memory of 4864 1900 svchost.exe 97 PID 728 wrote to memory of 384 728 cmd.exe 99 PID 728 wrote to memory of 384 728 cmd.exe 99 PID 728 wrote to memory of 384 728 cmd.exe 99 PID 1988 wrote to memory of 4484 1988 cmd.exe 100 PID 1988 wrote to memory of 4484 1988 cmd.exe 100 PID 1988 wrote to memory of 4484 1988 cmd.exe 100 PID 1900 wrote to memory of 4148 1900 svchost.exe 121 PID 1900 wrote to memory of 4148 1900 svchost.exe 121 PID 1900 wrote to memory of 4148 1900 svchost.exe 121 PID 1900 wrote to memory of 4928 1900 svchost.exe 124 PID 1900 wrote to memory of 4928 1900 svchost.exe 124 PID 1900 wrote to memory of 4928 1900 svchost.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
C:\Windows\SysWOW64\at.exeat 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\at.exeat 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4148
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4928
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4484
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize589KB
MD5f8d95eb8c84c6de968a90496256180b1
SHA152ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA5120b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e
-
Filesize
6KB
MD50f44db32cf6f469e3357f4e033385c8d
SHA138c1bc1cd2e0c66721166ec7b40cf8c2dca88d68
SHA2566b81b8d5583c1be487f5fcbcfd0c5ae6458d13606ae987422e3cf0cb3ef41bfa
SHA51241edc7343c20e945f1f3554631615718333e4365cd56ea9a71b1ba0c71bd1b43f4a9e408b06bf581f72907bd333b6cff8595b0ccd00680461b523d615d0cb3ee
-
Filesize
207KB
MD5e9a8033ab8de7db2b2e38a4660d28c0f
SHA14c19b54a5867cf510713290629d694e89ed1a577
SHA2565501e7f08d4d015d7aa2bba6182714d67bc53cc303356db9ce1e296c8216d136
SHA51224c18dbca8e9685e65be88a312fc6fdfaa98b2f19833bcc90344682b7825c88b62295f02c5efa890b80266f6675cfcd54150d17af014ef75be1b6a8baa1bbdff
-
Filesize
206KB
MD5fbb8f368c8434f7fa1f5bdf1ba9a4668
SHA1ba84254715facf05613af9c62a6c0e233166a536
SHA256ded61d57c823645096db937464223506863c7546905d5a0bcccc919dfbe2bf78
SHA5124004bc774fb4cd99bd1bf0a81bc22f92be1e0b59c5d0f50a0b27ff166c04c99337cdb9e941b32ebc2a5e9b2887db5a54d5a2160aeda958127f4052fe28f892cd
-
Filesize
206KB
MD514f2382c70673bd4d278d3822291cdd1
SHA1b4c2643c5ada1f7ec578a9967a8ca6adae84a03d
SHA256d913e023fba5aa8b7951afe9f4157b495ef5046da79e267fa2560dd23066fcb6
SHA512814e757c7e043671a91bb84e73790f1705e1b1632418b47b25881e97a3880b313fae2c7c2a2d7db6101012bb50364c759397f3062f806aa510fc52f7e9f0e863
-
Filesize
206KB
MD500c8a166b13f73f380a9f6344adf6318
SHA15fec53f42d797519c67c7b9d35b311c43c2d35f1
SHA2566d712a4d4a5e32f14eb1b98d7149706d1dd92955c4390dc54e06fcd06635c0cc
SHA512aed3000a0c64dbc3a0a33d6adba318f3c72ef50889b19cb743bbb36bf033f850d1223a27715b2bb05c0fe59ad74375097605505c21b91563b4856097fa23d6a0
-
Filesize
206KB
MD5b5df5e0f1a0f2ade0f19bc987f617901
SHA1cea5d3fa34e0b3e41532e687c08ca8450f70f04b
SHA256841008a800929cfeafe4e3f7957ddfaa759eaf210d28d3c9d6b866ac91a82408
SHA5124b07fa2a0c2e7c695cd2ee18dd564446cf83aaa09bd54745da76adb8baaa2f1e86c334e0ec73fd8c710da0a4a344397b80bfbd0a47954111e293aa75fda1f829