Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
570KB
-
MD5
dd1ea1a45d735f01c91b4521239181e8
-
SHA1
c0b9abbbab48885ced30e4140c51532de6dfc3b5
-
SHA256
101161ee2ae8203c00aa4c8cb5137cd19ddcda5519c7a30bd86494273c199a28
-
SHA512
346b54168664d4fa087122f304a8b720b243137a438002c71f7c91748db59ed542f1ac464ffe76ac13d9ad77e4b6fd6a1f15ac7a5923e9f4d56019c37ba58f98
-
SSDEEP
12288:zENN+T5xYrllrU7QY6L/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58Nb:Z5xolYQY61el3+s0DvfeUYqcZQCGm4Y2
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral2/files/0x001a00000002b0f5-12.dat family_mofksys behavioral2/files/0x001a00000002b0fb-19.dat family_mofksys behavioral2/files/0x001a00000002b102-27.dat family_mofksys behavioral2/files/0x001a00000002b105-37.dat family_mofksys behavioral2/files/0x001b00000002b103-47.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 5952 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 2988 icsys.icn.exe 3576 explorer.exe 2684 spoolsv.exe 4608 svchost.exe 4956 spoolsv.exe 4932 svchost.exe 4992 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 icsys.icn.exe 2988 icsys.icn.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe 3576 explorer.exe 3576 explorer.exe 4608 svchost.exe 4608 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3576 explorer.exe 4608 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 3576 explorer.exe 3576 explorer.exe 2684 spoolsv.exe 2684 spoolsv.exe 4608 svchost.exe 4608 svchost.exe 4956 spoolsv.exe 4956 spoolsv.exe 3576 explorer.exe 3576 explorer.exe 4932 svchost.exe 4932 svchost.exe 4992 explorer.exe 4992 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3636 wrote to memory of 5952 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 3636 wrote to memory of 5952 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 3636 wrote to memory of 5952 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 78 PID 3636 wrote to memory of 2988 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 3636 wrote to memory of 2988 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 3636 wrote to memory of 2988 3636 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 79 PID 2988 wrote to memory of 3576 2988 icsys.icn.exe 80 PID 2988 wrote to memory of 3576 2988 icsys.icn.exe 80 PID 2988 wrote to memory of 3576 2988 icsys.icn.exe 80 PID 3576 wrote to memory of 2684 3576 explorer.exe 81 PID 3576 wrote to memory of 2684 3576 explorer.exe 81 PID 3576 wrote to memory of 2684 3576 explorer.exe 81 PID 2684 wrote to memory of 4608 2684 spoolsv.exe 82 PID 2684 wrote to memory of 4608 2684 spoolsv.exe 82 PID 2684 wrote to memory of 4608 2684 spoolsv.exe 82 PID 4608 wrote to memory of 4956 4608 svchost.exe 83 PID 4608 wrote to memory of 4956 4608 svchost.exe 83 PID 4608 wrote to memory of 4956 4608 svchost.exe 83 PID 4608 wrote to memory of 4996 4608 svchost.exe 88 PID 4608 wrote to memory of 4996 4608 svchost.exe 88 PID 4608 wrote to memory of 4996 4608 svchost.exe 88 PID 4888 wrote to memory of 4932 4888 cmd.exe 90 PID 4888 wrote to memory of 4932 4888 cmd.exe 90 PID 4888 wrote to memory of 4932 4888 cmd.exe 90 PID 2916 wrote to memory of 4992 2916 cmd.exe 91 PID 2916 wrote to memory of 4992 2916 cmd.exe 91 PID 2916 wrote to memory of 4992 2916 cmd.exe 91 PID 4608 wrote to memory of 2772 4608 svchost.exe 92 PID 4608 wrote to memory of 2772 4608 svchost.exe 92 PID 4608 wrote to memory of 2772 4608 svchost.exe 92 PID 4608 wrote to memory of 5220 4608 svchost.exe 94 PID 4608 wrote to memory of 5220 4608 svchost.exe 94 PID 4608 wrote to memory of 5220 4608 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5952
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4956
-
-
C:\Windows\SysWOW64\at.exeat 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4996
-
-
C:\Windows\SysWOW64\at.exeat 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\at.exeat 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5220
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4992
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize364KB
MD538f18ebb5b81b4481b732f68d2b9fe90
SHA1eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0
SHA256a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b
SHA5129c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749
-
Filesize
206KB
MD5619df4382c6cfae46e3d2a4186dd10bf
SHA12f6d85478598aae450494e8a6eace1e7d3992a70
SHA2566ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7
SHA512320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1
-
Filesize
206KB
MD58122ec0caf2a4599e38d81b447727d1b
SHA1816351d2b34258a94a33294e86f750d0ac1232bb
SHA256fb535830b7950c418c7114b1718319c28d1766051c09177d2a10a6d216a94563
SHA512f8473fb09fecbed836e6b70a714be089fa43be552fc622cdc1bef83c45e69d4b6603475f5987e671e2962eac8171ff73444fe46d46f30046947c49d7f4f5a04d
-
Filesize
206KB
MD58f2023ff4b8380288b33edcdf77e3627
SHA1f7257b23217ffa0b209ebde50581aff6c5a3e15d
SHA2567c17ad4eb8791b9843cf962af51750dc57fd455394d1464e55f07cacefd4f0c0
SHA512ae0d2bf30bed77b9386589bb24716983b0eb5359a233c25b78657a85b5937b1ea8f768621431df1b14bdde932cb14da7f2422d3cd880f5b498d3a7d8da26ec84
-
Filesize
206KB
MD5deefa26749ce3c12428c15843b4b4250
SHA1fc323957d292495438c912067558d358693a1601
SHA25662abd9788890c5403ff62798480162b8dade061dc514012f5e10875889e581b6
SHA512e13f645399267811acab4f39598af824b650577722f0cb1902700f82cf173c7a9bfbef7ac518ab9f64c500aa3d8be80cf95dc3959116513fb6a798d8551ca65e
-
Filesize
206KB
MD5553007e9be4a0e9d681c88a59daf43d8
SHA1fbb9ccc7aabeb5285ba934b172dfd70d0fec3107
SHA256d14f95a5531048f80cf7b0583b3d2db52f8b6b38d4ed40b0495a532238aaed03
SHA512ae840c1419dabede8d8baf6d482105dfea011adaa567377f9e0d10936b4c2e01c739d3dc83694305cb22632475665e59a4391a9f9e2458aef64f1b3d7612e9b8