Analysis Overview
SHA256
d2c9c7c9c025566bf2cf270f8b8e3fd6233bba864c623162625313db67fa2c78
Threat Level: Known bad
The file 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Mofksys family
Detects Mofksys worm
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Mofksys
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 08:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 08:32
Reported
2025-05-20 08:34
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\svchost.exe | N/A |
Mofksys
Mofksys family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\svchost.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe"
\??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
C:\Windows\SysWOW64\at.exe
at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Network
| Country | Destination | Domain | Proto |
| GB | 95.100.153.158:443 | www.bing.com | tcp |
| GB | 95.100.153.158:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe
| MD5 | 38f18ebb5b81b4481b732f68d2b9fe90 |
| SHA1 | eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0 |
| SHA256 | a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b |
| SHA512 | 9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749 |
C:\Users\Admin\AppData\Local\icsys.icn.exe
| MD5 | b03b0c11f7c46b181af61975f0ca255e |
| SHA1 | 7caf7c1f48e209aec8ae245d9194a2159d111e45 |
| SHA256 | 3ab5d937f24e9fd0ed04e87e493111c094ea9bddfb4083d9e0247438b79f26c2 |
| SHA512 | 02305908293ba9667ba341461c0f4f5842a4e3b2b3ac8444aa18b2fc5bc60d38956e2421d3b398b6a2c8d372c0a85e246f078d3f48913012fe40efdac0809a7d |
C:\Windows\System\explorer.exe
| MD5 | 7f9dabcdb38a6acf1a6e139b00e913a0 |
| SHA1 | 4d33495151eef3cae8865c424d74fe3bda17f5a3 |
| SHA256 | 8d277133cd022915c33b37ac25ae49491e0b8f408b0224df278c95638d3476fb |
| SHA512 | dcb3ec3f418e7a564dc13b5fadcb027dc0efab108e54ec24a77042dafb3e79adb3700e4ad1c7af19e5345eef1fbf52c0d49c9e5d9112d11ac888dc0c9930d18e |
C:\Windows\System\spoolsv.exe
| MD5 | a8b63025c791af5da82535476f182e3c |
| SHA1 | 82b5a2d08fd99f7fd81fb4b3aa3ed1128e9cd5fd |
| SHA256 | 6c66e1237ff70512255d1ba4a6399ded88f6bfff5d1e354569838e8570d687a8 |
| SHA512 | e2fec57471a8898958660f979aabdb43484f32122dec02d5f473f576e7cc0b95896626be269e8cddcd71239bf7d0f11cc36a5896b4e0ae85d83bff2dee4b42a9 |
C:\Windows\System\svchost.exe
| MD5 | cfe65d49cf14d5e745e5ba1b63d142b9 |
| SHA1 | e4237d25f5279577f8f9765b2f545400fd9ed0d5 |
| SHA256 | 2787f7e8672bb6a2dc44b2f238e508b2d58203d96949e4cb1852f0870c633719 |
| SHA512 | fe3b20989e2c6d7e2a422cb910bbfbf7a51db179f8f2bc2d677d3c5ecc039bf466ec12f5b2edffa00349d8cf94493eb29e7b3e13a5a112191f8160e463135fcc |
C:\Users\Admin\AppData\Roaming\mrsys.exe
| MD5 | d1d04b5f68cedac7ea70374cf80aac00 |
| SHA1 | c8bd50c3cae4492a5c62e3d6ac5b17637a3b7770 |
| SHA256 | 929d75ee9aced76ea2d652c713a7208617a14b25483e15b216244a54f244b310 |
| SHA512 | c4e4a5fa81a2b53386277ba40581950e6078daed697bf4d8c5a6e91e08d3874926adc6597bc6be8d96d2586270d626921e2694029f7e931f8224187a0c88c50d |