Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
570KB
-
MD5
dd1ea1a45d735f01c91b4521239181e8
-
SHA1
c0b9abbbab48885ced30e4140c51532de6dfc3b5
-
SHA256
101161ee2ae8203c00aa4c8cb5137cd19ddcda5519c7a30bd86494273c199a28
-
SHA512
346b54168664d4fa087122f304a8b720b243137a438002c71f7c91748db59ed542f1ac464ffe76ac13d9ad77e4b6fd6a1f15ac7a5923e9f4d56019c37ba58f98
-
SSDEEP
12288:zENN+T5xYrllrU7QY6L/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58Nb:Z5xolYQY61el3+s0DvfeUYqcZQCGm4Y2
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x000d000000023f73-12.dat family_mofksys behavioral1/files/0x0008000000024174-19.dat family_mofksys behavioral1/files/0x0008000000024176-28.dat family_mofksys behavioral1/files/0x0008000000024178-36.dat family_mofksys behavioral1/files/0x0009000000024177-47.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 4540 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 2664 icsys.icn.exe 3712 explorer.exe 952 spoolsv.exe 2064 svchost.exe 4000 spoolsv.exe 3048 explorer.exe 5016 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 icsys.icn.exe 2664 icsys.icn.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 2064 svchost.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 2064 svchost.exe 3712 explorer.exe 2064 svchost.exe 2064 svchost.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe 3712 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3712 explorer.exe 2064 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 2664 icsys.icn.exe 2664 icsys.icn.exe 3712 explorer.exe 3712 explorer.exe 952 spoolsv.exe 952 spoolsv.exe 2064 svchost.exe 2064 svchost.exe 4000 spoolsv.exe 4000 spoolsv.exe 3712 explorer.exe 3712 explorer.exe 3048 explorer.exe 3048 explorer.exe 5016 svchost.exe 5016 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4540 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 4928 wrote to memory of 4540 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 4928 wrote to memory of 4540 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 4928 wrote to memory of 2664 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 4928 wrote to memory of 2664 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 4928 wrote to memory of 2664 4928 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 2664 wrote to memory of 3712 2664 icsys.icn.exe 88 PID 2664 wrote to memory of 3712 2664 icsys.icn.exe 88 PID 2664 wrote to memory of 3712 2664 icsys.icn.exe 88 PID 3712 wrote to memory of 952 3712 explorer.exe 89 PID 3712 wrote to memory of 952 3712 explorer.exe 89 PID 3712 wrote to memory of 952 3712 explorer.exe 89 PID 952 wrote to memory of 2064 952 spoolsv.exe 90 PID 952 wrote to memory of 2064 952 spoolsv.exe 90 PID 952 wrote to memory of 2064 952 spoolsv.exe 90 PID 2064 wrote to memory of 4000 2064 svchost.exe 92 PID 2064 wrote to memory of 4000 2064 svchost.exe 92 PID 2064 wrote to memory of 4000 2064 svchost.exe 92 PID 2064 wrote to memory of 1020 2064 svchost.exe 97 PID 2064 wrote to memory of 1020 2064 svchost.exe 97 PID 2064 wrote to memory of 1020 2064 svchost.exe 97 PID 2180 wrote to memory of 3048 2180 cmd.exe 99 PID 2180 wrote to memory of 3048 2180 cmd.exe 99 PID 2180 wrote to memory of 3048 2180 cmd.exe 99 PID 2948 wrote to memory of 5016 2948 cmd.exe 100 PID 2948 wrote to memory of 5016 2948 cmd.exe 100 PID 2948 wrote to memory of 5016 2948 cmd.exe 100 PID 2064 wrote to memory of 4536 2064 svchost.exe 120 PID 2064 wrote to memory of 4536 2064 svchost.exe 120 PID 2064 wrote to memory of 4536 2064 svchost.exe 120 PID 2064 wrote to memory of 748 2064 svchost.exe 123 PID 2064 wrote to memory of 748 2064 svchost.exe 123 PID 2064 wrote to memory of 748 2064 svchost.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\SysWOW64\at.exeat 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\at.exeat 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4536
-
-
C:\Windows\SysWOW64\at.exeat 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:748
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5016
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize364KB
MD538f18ebb5b81b4481b732f68d2b9fe90
SHA1eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0
SHA256a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b
SHA5129c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749
-
Filesize
206KB
MD5619df4382c6cfae46e3d2a4186dd10bf
SHA12f6d85478598aae450494e8a6eace1e7d3992a70
SHA2566ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7
SHA512320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1
-
Filesize
206KB
MD5f4595155a48e124738bf682637c60051
SHA1a46cae0a89c38d9dedf8ab643925d854291168c6
SHA256cf96ca7526250c68d9a4e68be936766ebd5e321b344ac42f8aaf4f9d9e54b181
SHA512464ed1be1130d032982c389e6aaffb38980758c9e58bdc69d92a95523b26336da55c8a978a1a631746bbd61641f66083fda9a5e793121eef9bbed6d6790e7eaf
-
Filesize
206KB
MD527c1f9cf16b37d08ad6703571c0c56ab
SHA18baea51bdd415695a2ca3d57a0e7618f1016708b
SHA256e5402be78e78cbdb7e802a3cba8731ab4a13988d5c7d2e0f0a5b361f214b0d3b
SHA5125b1da3f115cedcc4a878aaaf4ffbf243b85c96a88ad0fa43b9386b3a1187837a88a4c914208eeeab90ada366dafcc2b61347fc6605eaa48519fab4ca53a50c4d
-
Filesize
206KB
MD573c07eb6923504f46918ee79502c039b
SHA1b65bd39e614c393d1bb4bcff6e0f1b285b44d83f
SHA256fbe1a1e24d2e7dc34c7bbcb47d47b4f92b5de60bab363e5a41982707c722b865
SHA512c521fae39677a98faadf4628f78a3cd0b2bae5b8bf5f8785fc008866f78ee44c193891fe167b347fe6d060c56ae85016ca1d14834ff226aa5f7b1f4affa337d1
-
Filesize
206KB
MD5438f7be24204b8a2307ba34196ab34d8
SHA1a0f6deb9739db66020e6e39bcca45dae9608235f
SHA256687e0ab49e72ac51d9f6d85222d55c783209d79edfdd631de3a52cee653f18fd
SHA512d1457cfc7f3343187ebf2c376c41b24b1ca96fe1bf5f4f344851ceee906ffeafc272e123fac59c91705bcc57eeca2a3b3adfb4403197951d878fffb34e860c32