Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
796KB
-
MD5
a6706faee9b596ab1003002d11892d3a
-
SHA1
c9e225ff5c85726cae2d6c18c8146b364dd09418
-
SHA256
82b33a1aca5648e9b5ce944920cf3be5f5f9dac2c913d68a66d6d55240fc0606
-
SHA512
f5963bf379932b99278e08bbada9346951caba78fa2dfcf3214c09dfa1857520b8fd599ae063fe4e3a6ba1c9615013b377b398ac416462ae938cbd807f33247c
-
SSDEEP
12288:zENN+T5xYrllrU7QY6gubXcwafJcLln5QwnVWqqPIBONhxsU/E3:Z5xolYQY6gurP90r/xsU/E3
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral2/files/0x001a00000002afcb-59.dat family_mofksys behavioral2/files/0x001a00000002afd3-68.dat family_mofksys behavioral2/files/0x001a00000002afd5-75.dat family_mofksys behavioral2/files/0x001a00000002afd7-83.dat family_mofksys behavioral2/files/0x001b00000002afd6-94.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 848 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 5116 icsys.icn.exe 5864 explorer.exe 5984 spoolsv.exe 4700 svchost.exe 4956 spoolsv.exe 3516 explorer.exe 3768 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5116 icsys.icn.exe 5116 icsys.icn.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 4700 svchost.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 4700 svchost.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe 5864 explorer.exe 5864 explorer.exe 4700 svchost.exe 4700 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5864 explorer.exe 4700 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 5116 icsys.icn.exe 5116 icsys.icn.exe 5864 explorer.exe 5864 explorer.exe 5984 spoolsv.exe 5984 spoolsv.exe 4700 svchost.exe 4700 svchost.exe 4956 spoolsv.exe 4956 spoolsv.exe 5864 explorer.exe 5864 explorer.exe 3768 svchost.exe 3768 svchost.exe 3516 explorer.exe 3516 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5716 wrote to memory of 848 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 5716 wrote to memory of 848 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 5716 wrote to memory of 848 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 5716 wrote to memory of 5116 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 5716 wrote to memory of 5116 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 5716 wrote to memory of 5116 5716 2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 5116 wrote to memory of 5864 5116 icsys.icn.exe 80 PID 5116 wrote to memory of 5864 5116 icsys.icn.exe 80 PID 5116 wrote to memory of 5864 5116 icsys.icn.exe 80 PID 5864 wrote to memory of 5984 5864 explorer.exe 81 PID 5864 wrote to memory of 5984 5864 explorer.exe 81 PID 5864 wrote to memory of 5984 5864 explorer.exe 81 PID 5984 wrote to memory of 4700 5984 spoolsv.exe 82 PID 5984 wrote to memory of 4700 5984 spoolsv.exe 82 PID 5984 wrote to memory of 4700 5984 spoolsv.exe 82 PID 4700 wrote to memory of 4956 4700 svchost.exe 83 PID 4700 wrote to memory of 4956 4700 svchost.exe 83 PID 4700 wrote to memory of 4956 4700 svchost.exe 83 PID 4700 wrote to memory of 4916 4700 svchost.exe 88 PID 4700 wrote to memory of 4916 4700 svchost.exe 88 PID 4700 wrote to memory of 4916 4700 svchost.exe 88 PID 5040 wrote to memory of 3516 5040 cmd.exe 90 PID 5040 wrote to memory of 3516 5040 cmd.exe 90 PID 5040 wrote to memory of 3516 5040 cmd.exe 90 PID 5052 wrote to memory of 3768 5052 cmd.exe 91 PID 5052 wrote to memory of 3768 5052 cmd.exe 91 PID 5052 wrote to memory of 3768 5052 cmd.exe 91 PID 4700 wrote to memory of 3248 4700 svchost.exe 92 PID 4700 wrote to memory of 3248 4700 svchost.exe 92 PID 4700 wrote to memory of 3248 4700 svchost.exe 92 PID 4700 wrote to memory of 2764 4700 svchost.exe 94 PID 4700 wrote to memory of 2764 4700 svchost.exe 94 PID 4700 wrote to memory of 2764 4700 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5716 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5984 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4956
-
-
C:\Windows\SysWOW64\at.exeat 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Windows\SysWOW64\at.exeat 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3768
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a6706faee9b596ab1003002d11892d3a_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize589KB
MD5f8d95eb8c84c6de968a90496256180b1
SHA152ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA5120b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e
-
Filesize
4KB
MD52f17afdac3b6b12d045459de51bf23bf
SHA19833b18ad03775c8e0bfdd02edf070304da993f0
SHA25684ad491dac9b752ecdd49ebdf0c616e7da8a404afb69979cccd27ce1fde0294d
SHA5127a43abcffbb1f5ab7f69eb3b927c87973f271b4b9d999389cb20a1ec2388ad5c70ff0256ea2c9c42b8be27156e65b6ae2b1b4cfa197558d489a22ea137abc566
-
Filesize
207KB
MD5e9a8033ab8de7db2b2e38a4660d28c0f
SHA14c19b54a5867cf510713290629d694e89ed1a577
SHA2565501e7f08d4d015d7aa2bba6182714d67bc53cc303356db9ce1e296c8216d136
SHA51224c18dbca8e9685e65be88a312fc6fdfaa98b2f19833bcc90344682b7825c88b62295f02c5efa890b80266f6675cfcd54150d17af014ef75be1b6a8baa1bbdff
-
Filesize
206KB
MD521e4a53dceb8b4d98163d6730cbdb46b
SHA1bff408f2da489b9a4a42e010a5fe0ec29fa1d283
SHA25672985246023aaebea36e14491ea8b4e25a4148d978efad60a1773131383f3763
SHA5124e644815a9e9a14e9bae4087d41b8e7e9d2ca28f61784fb2dcbd63ebbd8f141409e6c22ced62672e424bf33fdbe9930d1ce65ba22cd2bf4199ef536e50d1f859
-
Filesize
206KB
MD5fe5eebc29761e754cdaf703b2ad357f7
SHA13216f408c4cf825a5864bf31c284722b8ff8a5dd
SHA256cb5f93a42663b918b8701c0c381d53e334013170fc27b9e36bdbaf3fe1014885
SHA512c7ce981dc7621de0f58e50399d3cf7d84ef091025fa029e8a3d37ac16e48b04e8daf023e86bb55c6c0ea2780ab560b9891980dd8925c47cc0960b8dd0b758cb4
-
Filesize
206KB
MD552ed03044ce375edd527560cb0bcd48b
SHA131aa3afc8cf077dba701de0324d29e6fe6b8fa5f
SHA256f3b34320a32110653b0986fc71f6f593824018289a402ac7e7aaf438ec511d7f
SHA512e8f6164c7f6e1fa5130ef6545d3ad166091f240b2a1f640ba0666e55407e3895687034a8ce172c406f3a459292c522c34636fd6924d90834ecc192d115c6b135
-
Filesize
207KB
MD5a9bd66f61f245d64dcbf1f11c20e4ea5
SHA15ef556521730cbb1dfb91be4546deee1cdbc43ca
SHA256bfa43ec06fe362903dfe9cf069eaa373641002565dbf76cd1dbed21f1b3e5962
SHA512f20ea78481e66c571abfc93509d4d3603f94bb1c1de39f80852c14a49bf176364c205c7b29e6658b55812658bbb3e26f9874618377181cd06420fca9e31ca0c6