Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/05/2025, 08:33

General

  • Target

    2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe

  • Size

    570KB

  • MD5

    dd1ea1a45d735f01c91b4521239181e8

  • SHA1

    c0b9abbbab48885ced30e4140c51532de6dfc3b5

  • SHA256

    101161ee2ae8203c00aa4c8cb5137cd19ddcda5519c7a30bd86494273c199a28

  • SHA512

    346b54168664d4fa087122f304a8b720b243137a438002c71f7c91748db59ed542f1ac464ffe76ac13d9ad77e4b6fd6a1f15ac7a5923e9f4d56019c37ba58f98

  • SSDEEP

    12288:zENN+T5xYrllrU7QY6L/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58Nb:Z5xolYQY61el3+s0DvfeUYqcZQCGm4Y2

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3636
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5952
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2988
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3576
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2684
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4608
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4956
            • C:\Windows\SysWOW64\at.exe
              at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4996
            • C:\Windows\SysWOW64\at.exe
              at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2772
            • C:\Windows\SysWOW64\at.exe
              at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5220
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4932
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4992

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe 

          Filesize

          364KB

          MD5

          38f18ebb5b81b4481b732f68d2b9fe90

          SHA1

          eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0

          SHA256

          a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b

          SHA512

          9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          619df4382c6cfae46e3d2a4186dd10bf

          SHA1

          2f6d85478598aae450494e8a6eace1e7d3992a70

          SHA256

          6ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7

          SHA512

          320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          8122ec0caf2a4599e38d81b447727d1b

          SHA1

          816351d2b34258a94a33294e86f750d0ac1232bb

          SHA256

          fb535830b7950c418c7114b1718319c28d1766051c09177d2a10a6d216a94563

          SHA512

          f8473fb09fecbed836e6b70a714be089fa43be552fc622cdc1bef83c45e69d4b6603475f5987e671e2962eac8171ff73444fe46d46f30046947c49d7f4f5a04d

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          8f2023ff4b8380288b33edcdf77e3627

          SHA1

          f7257b23217ffa0b209ebde50581aff6c5a3e15d

          SHA256

          7c17ad4eb8791b9843cf962af51750dc57fd455394d1464e55f07cacefd4f0c0

          SHA512

          ae0d2bf30bed77b9386589bb24716983b0eb5359a233c25b78657a85b5937b1ea8f768621431df1b14bdde932cb14da7f2422d3cd880f5b498d3a7d8da26ec84

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          deefa26749ce3c12428c15843b4b4250

          SHA1

          fc323957d292495438c912067558d358693a1601

          SHA256

          62abd9788890c5403ff62798480162b8dade061dc514012f5e10875889e581b6

          SHA512

          e13f645399267811acab4f39598af824b650577722f0cb1902700f82cf173c7a9bfbef7ac518ab9f64c500aa3d8be80cf95dc3959116513fb6a798d8551ca65e

        • \??\c:\windows\system\svchost.exe

          Filesize

          206KB

          MD5

          553007e9be4a0e9d681c88a59daf43d8

          SHA1

          fbb9ccc7aabeb5285ba934b172dfd70d0fec3107

          SHA256

          d14f95a5531048f80cf7b0583b3d2db52f8b6b38d4ed40b0495a532238aaed03

          SHA512

          ae840c1419dabede8d8baf6d482105dfea011adaa567377f9e0d10936b4c2e01c739d3dc83694305cb22632475665e59a4391a9f9e2458aef64f1b3d7612e9b8