Analysis Overview
SHA256
101161ee2ae8203c00aa4c8cb5137cd19ddcda5519c7a30bd86494273c199a28
Threat Level: Known bad
The file 2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Detects Mofksys worm
Mofksys
Mofksys family
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 08:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-20 08:33
Reported
2025-05-20 08:36
Platform
win11-20250502-en
Max time kernel
150s
Max time network
103s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\svchost.exe | N/A |
Mofksys
Mofksys family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\svchost.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"
\??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\SysWOW64\at.exe
at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe RO
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
C:\Windows\SysWOW64\at.exe
at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
C:\Windows\SysWOW64\at.exe
at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
| MD5 | 38f18ebb5b81b4481b732f68d2b9fe90 |
| SHA1 | eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0 |
| SHA256 | a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b |
| SHA512 | 9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749 |
C:\Users\Admin\AppData\Local\icsys.icn.exe
| MD5 | 619df4382c6cfae46e3d2a4186dd10bf |
| SHA1 | 2f6d85478598aae450494e8a6eace1e7d3992a70 |
| SHA256 | 6ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7 |
| SHA512 | 320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1 |
C:\Windows\System\explorer.exe
| MD5 | 8f2023ff4b8380288b33edcdf77e3627 |
| SHA1 | f7257b23217ffa0b209ebde50581aff6c5a3e15d |
| SHA256 | 7c17ad4eb8791b9843cf962af51750dc57fd455394d1464e55f07cacefd4f0c0 |
| SHA512 | ae0d2bf30bed77b9386589bb24716983b0eb5359a233c25b78657a85b5937b1ea8f768621431df1b14bdde932cb14da7f2422d3cd880f5b498d3a7d8da26ec84 |
C:\Windows\System\spoolsv.exe
| MD5 | deefa26749ce3c12428c15843b4b4250 |
| SHA1 | fc323957d292495438c912067558d358693a1601 |
| SHA256 | 62abd9788890c5403ff62798480162b8dade061dc514012f5e10875889e581b6 |
| SHA512 | e13f645399267811acab4f39598af824b650577722f0cb1902700f82cf173c7a9bfbef7ac518ab9f64c500aa3d8be80cf95dc3959116513fb6a798d8551ca65e |
\??\c:\windows\system\svchost.exe
| MD5 | 553007e9be4a0e9d681c88a59daf43d8 |
| SHA1 | fbb9ccc7aabeb5285ba934b172dfd70d0fec3107 |
| SHA256 | d14f95a5531048f80cf7b0583b3d2db52f8b6b38d4ed40b0495a532238aaed03 |
| SHA512 | ae840c1419dabede8d8baf6d482105dfea011adaa567377f9e0d10936b4c2e01c739d3dc83694305cb22632475665e59a4391a9f9e2458aef64f1b3d7612e9b8 |
C:\Users\Admin\AppData\Roaming\mrsys.exe
| MD5 | 8122ec0caf2a4599e38d81b447727d1b |
| SHA1 | 816351d2b34258a94a33294e86f750d0ac1232bb |
| SHA256 | fb535830b7950c418c7114b1718319c28d1766051c09177d2a10a6d216a94563 |
| SHA512 | f8473fb09fecbed836e6b70a714be089fa43be552fc622cdc1bef83c45e69d4b6603475f5987e671e2962eac8171ff73444fe46d46f30046947c49d7f4f5a04d |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 08:33
Reported
2025-05-20 08:36
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\svchost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\svchost.exe | N/A |
Mofksys
Mofksys family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe"
\??\c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
c:\users\admin\appdata\local\temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
C:\Windows\SysWOW64\at.exe
at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Network
| Country | Destination | Domain | Proto |
| FR | 2.21.35.224:443 | www.bing.com | tcp |
| FR | 2.21.35.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2025-05-20_dd1ea1a45d735f01c91b4521239181e8_black-basta_cobalt-strike_elex_luca-stealer.exe
| MD5 | 38f18ebb5b81b4481b732f68d2b9fe90 |
| SHA1 | eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0 |
| SHA256 | a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b |
| SHA512 | 9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749 |
C:\Users\Admin\AppData\Local\icsys.icn.exe
| MD5 | 619df4382c6cfae46e3d2a4186dd10bf |
| SHA1 | 2f6d85478598aae450494e8a6eace1e7d3992a70 |
| SHA256 | 6ba1c5b5668d58a66604f963f4c70158cf1674c20f97c9de56e32ddd698348f7 |
| SHA512 | 320f86637192be6d9d7c8ef1cd4802c3636f6141c4c8f5cc5e76d0b273cd841a8efb91d52d55f19dcd476895e4bbea4b8eb10979caddf0e20bd4031d77a78da1 |
C:\Windows\System\explorer.exe
| MD5 | 27c1f9cf16b37d08ad6703571c0c56ab |
| SHA1 | 8baea51bdd415695a2ca3d57a0e7618f1016708b |
| SHA256 | e5402be78e78cbdb7e802a3cba8731ab4a13988d5c7d2e0f0a5b361f214b0d3b |
| SHA512 | 5b1da3f115cedcc4a878aaaf4ffbf243b85c96a88ad0fa43b9386b3a1187837a88a4c914208eeeab90ada366dafcc2b61347fc6605eaa48519fab4ca53a50c4d |
C:\Windows\System\spoolsv.exe
| MD5 | 73c07eb6923504f46918ee79502c039b |
| SHA1 | b65bd39e614c393d1bb4bcff6e0f1b285b44d83f |
| SHA256 | fbe1a1e24d2e7dc34c7bbcb47d47b4f92b5de60bab363e5a41982707c722b865 |
| SHA512 | c521fae39677a98faadf4628f78a3cd0b2bae5b8bf5f8785fc008866f78ee44c193891fe167b347fe6d060c56ae85016ca1d14834ff226aa5f7b1f4affa337d1 |
C:\Windows\System\svchost.exe
| MD5 | 438f7be24204b8a2307ba34196ab34d8 |
| SHA1 | a0f6deb9739db66020e6e39bcca45dae9608235f |
| SHA256 | 687e0ab49e72ac51d9f6d85222d55c783209d79edfdd631de3a52cee653f18fd |
| SHA512 | d1457cfc7f3343187ebf2c376c41b24b1ca96fe1bf5f4f344851ceee906ffeafc272e123fac59c91705bcc57eeca2a3b3adfb4403197951d878fffb34e860c32 |
C:\Users\Admin\AppData\Roaming\mrsys.exe
| MD5 | f4595155a48e124738bf682637c60051 |
| SHA1 | a46cae0a89c38d9dedf8ab643925d854291168c6 |
| SHA256 | cf96ca7526250c68d9a4e68be936766ebd5e321b344ac42f8aaf4f9d9e54b181 |
| SHA512 | 464ed1be1130d032982c389e6aaffb38980758c9e58bdc69d92a95523b26336da55c8a978a1a631746bbd61641f66083fda9a5e793121eef9bbed6d6790e7eaf |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |