Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
570KB
-
MD5
c67dd6e6528753aad5cfd228b68d9468
-
SHA1
a61ffbe31fc355ffa535cfe90e325ecf6ff3a4e1
-
SHA256
d2c9c7c9c025566bf2cf270f8b8e3fd6233bba864c623162625313db67fa2c78
-
SHA512
1df698071f782c2508aab9e48523a15cb2e4ee42ca100ca31daf22fe93d9078fe63516c79d08ac3125bb134f4a03604a5fa7b38fe64afa3ba5506013ed0d29ae
-
SSDEEP
12288:zENN+T5xYrllrU7QY6e/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58Ni:Z5xolYQY62el3+s0DvfeUYqcZQCGm4Y/
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x000700000002424b-12.dat family_mofksys behavioral1/files/0x000800000002424f-20.dat family_mofksys behavioral1/files/0x0008000000024252-28.dat family_mofksys behavioral1/files/0x0008000000024254-36.dat family_mofksys behavioral1/files/0x0009000000024253-47.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 2136 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 1164 icsys.icn.exe 3056 explorer.exe 6040 spoolsv.exe 5060 svchost.exe 1064 spoolsv.exe 4824 explorer.exe 4812 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1164 icsys.icn.exe 1164 icsys.icn.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe 3056 explorer.exe 3056 explorer.exe 5060 svchost.exe 5060 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3056 explorer.exe 5060 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 1164 icsys.icn.exe 1164 icsys.icn.exe 3056 explorer.exe 3056 explorer.exe 6040 spoolsv.exe 6040 spoolsv.exe 5060 svchost.exe 5060 svchost.exe 1064 spoolsv.exe 1064 spoolsv.exe 3056 explorer.exe 3056 explorer.exe 4812 svchost.exe 4812 svchost.exe 4824 explorer.exe 4824 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1228 wrote to memory of 2136 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 1228 wrote to memory of 2136 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 1228 wrote to memory of 2136 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 1228 wrote to memory of 1164 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 89 PID 1228 wrote to memory of 1164 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 89 PID 1228 wrote to memory of 1164 1228 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 89 PID 1164 wrote to memory of 3056 1164 icsys.icn.exe 90 PID 1164 wrote to memory of 3056 1164 icsys.icn.exe 90 PID 1164 wrote to memory of 3056 1164 icsys.icn.exe 90 PID 3056 wrote to memory of 6040 3056 explorer.exe 91 PID 3056 wrote to memory of 6040 3056 explorer.exe 91 PID 3056 wrote to memory of 6040 3056 explorer.exe 91 PID 6040 wrote to memory of 5060 6040 spoolsv.exe 92 PID 6040 wrote to memory of 5060 6040 spoolsv.exe 92 PID 6040 wrote to memory of 5060 6040 spoolsv.exe 92 PID 5060 wrote to memory of 1064 5060 svchost.exe 93 PID 5060 wrote to memory of 1064 5060 svchost.exe 93 PID 5060 wrote to memory of 1064 5060 svchost.exe 93 PID 5060 wrote to memory of 4760 5060 svchost.exe 98 PID 5060 wrote to memory of 4760 5060 svchost.exe 98 PID 5060 wrote to memory of 4760 5060 svchost.exe 98 PID 2856 wrote to memory of 4824 2856 cmd.exe 100 PID 2856 wrote to memory of 4824 2856 cmd.exe 100 PID 2856 wrote to memory of 4824 2856 cmd.exe 100 PID 4844 wrote to memory of 4812 4844 cmd.exe 101 PID 4844 wrote to memory of 4812 4844 cmd.exe 101 PID 4844 wrote to memory of 4812 4844 cmd.exe 101 PID 5060 wrote to memory of 2632 5060 svchost.exe 120 PID 5060 wrote to memory of 2632 5060 svchost.exe 120 PID 5060 wrote to memory of 2632 5060 svchost.exe 120 PID 5060 wrote to memory of 1856 5060 svchost.exe 123 PID 5060 wrote to memory of 1856 5060 svchost.exe 123 PID 5060 wrote to memory of 1856 5060 svchost.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6040 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4760
-
-
C:\Windows\SysWOW64\at.exeat 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\at.exeat 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1856
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4812
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize364KB
MD538f18ebb5b81b4481b732f68d2b9fe90
SHA1eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0
SHA256a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b
SHA5129c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749
-
Filesize
206KB
MD5b03b0c11f7c46b181af61975f0ca255e
SHA17caf7c1f48e209aec8ae245d9194a2159d111e45
SHA2563ab5d937f24e9fd0ed04e87e493111c094ea9bddfb4083d9e0247438b79f26c2
SHA51202305908293ba9667ba341461c0f4f5842a4e3b2b3ac8444aa18b2fc5bc60d38956e2421d3b398b6a2c8d372c0a85e246f078d3f48913012fe40efdac0809a7d
-
Filesize
206KB
MD5d1d04b5f68cedac7ea70374cf80aac00
SHA1c8bd50c3cae4492a5c62e3d6ac5b17637a3b7770
SHA256929d75ee9aced76ea2d652c713a7208617a14b25483e15b216244a54f244b310
SHA512c4e4a5fa81a2b53386277ba40581950e6078daed697bf4d8c5a6e91e08d3874926adc6597bc6be8d96d2586270d626921e2694029f7e931f8224187a0c88c50d
-
Filesize
206KB
MD57f9dabcdb38a6acf1a6e139b00e913a0
SHA14d33495151eef3cae8865c424d74fe3bda17f5a3
SHA2568d277133cd022915c33b37ac25ae49491e0b8f408b0224df278c95638d3476fb
SHA512dcb3ec3f418e7a564dc13b5fadcb027dc0efab108e54ec24a77042dafb3e79adb3700e4ad1c7af19e5345eef1fbf52c0d49c9e5d9112d11ac888dc0c9930d18e
-
Filesize
206KB
MD5a8b63025c791af5da82535476f182e3c
SHA182b5a2d08fd99f7fd81fb4b3aa3ed1128e9cd5fd
SHA2566c66e1237ff70512255d1ba4a6399ded88f6bfff5d1e354569838e8570d687a8
SHA512e2fec57471a8898958660f979aabdb43484f32122dec02d5f473f576e7cc0b95896626be269e8cddcd71239bf7d0f11cc36a5896b4e0ae85d83bff2dee4b42a9
-
Filesize
206KB
MD5cfe65d49cf14d5e745e5ba1b63d142b9
SHA1e4237d25f5279577f8f9765b2f545400fd9ed0d5
SHA2562787f7e8672bb6a2dc44b2f238e508b2d58203d96949e4cb1852f0870c633719
SHA512fe3b20989e2c6d7e2a422cb910bbfbf7a51db179f8f2bc2d677d3c5ecc039bf466ec12f5b2edffa00349d8cf94493eb29e7b3e13a5a112191f8160e463135fcc