Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:33

General

  • Target

    2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe

  • Size

    570KB

  • MD5

    dd1ea1a45d735f01c91b4521239181e8

  • SHA1

    c0b9abbbab48885ced30e4140c51532de6dfc3b5

  • SHA256

    101161ee2ae8203c00aa4c8cb5137cd19ddcda5519c7a30bd86494273c199a28

  • SHA512

    346b54168664d4fa087122f304a8b720b243137a438002c71f7c91748db59ed542f1ac464ffe76ac13d9ad77e4b6fd6a1f15ac7a5923e9f4d56019c37ba58f98

  • SSDEEP

    12288:zENN+T5xYrllrU7QY6L/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58Nb:Z5xolYQY61el3+s0DvfeUYqcZQCGm4Y2

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4928
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4540
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3712
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:952
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2064
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4000
            • C:\Windows\SysWOW64\at.exe
              at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1020
            • C:\Windows\SysWOW64\at.exe
              at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4536
            • C:\Windows\SysWOW64\at.exe
              at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:748
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3048
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2948
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5016

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 

          Filesize

          364KB

          MD5

          38f18ebb5b81b4481b732f68d2b9fe90

          SHA1

          eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0

          SHA256

          a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b

          SHA512

          9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          619df4382c6cfae46e3d2a4186dd10bf

          SHA1

          2f6d85478598aae450494e8a6eace1e7d3992a70

          SHA256

          6ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7

          SHA512

          320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          f4595155a48e124738bf682637c60051

          SHA1

          a46cae0a89c38d9dedf8ab643925d854291168c6

          SHA256

          cf96ca7526250c68d9a4e68be936766ebd5e321b344ac42f8aaf4f9d9e54b181

          SHA512

          464ed1be1130d032982c389e6aaffb38980758c9e58bdc69d92a95523b26336da55c8a978a1a631746bbd61641f66083fda9a5e793121eef9bbed6d6790e7eaf

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          27c1f9cf16b37d08ad6703571c0c56ab

          SHA1

          8baea51bdd415695a2ca3d57a0e7618f1016708b

          SHA256

          e5402be78e78cbdb7e802a3cba8731ab4a13988d5c7d2e0f0a5b361f214b0d3b

          SHA512

          5b1da3f115cedcc4a878aaaf4ffbf243b85c96a88ad0fa43b9386b3a1187837a88a4c914208eeeab90ada366dafcc2b61347fc6605eaa48519fab4ca53a50c4d

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          73c07eb6923504f46918ee79502c039b

          SHA1

          b65bd39e614c393d1bb4bcff6e0f1b285b44d83f

          SHA256

          fbe1a1e24d2e7dc34c7bbcb47d47b4f92b5de60bab363e5a41982707c722b865

          SHA512

          c521fae39677a98faadf4628f78a3cd0b2bae5b8bf5f8785fc008866f78ee44c193891fe167b347fe6d060c56ae85016ca1d14834ff226aa5f7b1f4affa337d1

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          438f7be24204b8a2307ba34196ab34d8

          SHA1

          a0f6deb9739db66020e6e39bcca45dae9608235f

          SHA256

          687e0ab49e72ac51d9f6d85222d55c783209d79edfdd631de3a52cee653f18fd

          SHA512

          d1457cfc7f3343187ebf2c376c41b24b1ca96fe1bf5f4f344851ceee906ffeafc272e123fac59c91705bcc57eeca2a3b3adfb4403197951d878fffb34e860c32