Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:34

General

  • Target

    2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe

  • Size

    24.7MB

  • MD5

    e34ace8f4216078d97f0257da1964c1a

  • SHA1

    6646a9d1edc3212e3f04713a69525066f91dad12

  • SHA256

    21f05af90bdee3716b1e8a7797e361c6ac31275f1a9c66f9c5f6fc7f9e1c9189

  • SHA512

    ccc13266008a86b857afd65bc090618d968a5486bc302a19298927a0169ec6bd1a5ac5f0240984c77d8a2f873c6bc5bd0354cb713b5e9d9b3dd286d14a41e5fa

  • SSDEEP

    786432:ZTHwiu9W09E3b3shopoAc7qU+A4ui+QH8eH/uDEVoqN6:ZTHwvWYEraGoR+YiF8eHLeq0

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3088
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4432
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4700
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4592
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4888
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5928
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3432
            • C:\Windows\SysWOW64\at.exe
              at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4984
            • C:\Windows\SysWOW64\at.exe
              at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3256
            • C:\Windows\SysWOW64\at.exe
              at 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1108
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5080
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4116
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4876
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5492
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 44EC0DC58A2346408020C5807359040D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2636

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 

          Filesize

          24.5MB

          MD5

          e5d5acd2bc76a50accda70ea55c40ebf

          SHA1

          75b649e01d35e7010d5d60c87545dc7ab47a3420

          SHA256

          67fb9596b6c5d0b12c9f44ea8b04d5843101935ea65e179835707f3efe715802

          SHA512

          3a3e318c926e70e485fbfd42db924fd4dfb8a44596725885372c940fb9bdbeb64a98c2374d4f5c3420e62ad5a67e7b9ed1b1338d83b7888280038ed15ff2e60c

        • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4432\installer_logo_large.png

          Filesize

          15KB

          MD5

          92a8f755b579ffc8c3f86ec87076f45e

          SHA1

          cd5536b089a281807eabe2def1e6f4020e2b124b

          SHA256

          71a8107a9f5e4464519fb74b4e83b7f7af86812399210f55a2505870391aec66

          SHA512

          11857b0eefbacc7faf7e1056124319c3acfc82eef0c1769a3ad7945a1019b85757fbd8f620a5bd360652c7f877a8634df744a3cee0fb0f7a07689522024d06fb

        • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4432\installer_logo_small.png

          Filesize

          5KB

          MD5

          743d8274c5efa5b66c12eff6d89f819e

          SHA1

          655ab5d69e17883d3651792d7c3ff7e133e9ab54

          SHA256

          54305db25aef864e71e02d5a1cdadf831387d7b850a80512e041d9fadc0c5438

          SHA512

          9f261f384932990796143b95cef3540e962757c7ada9bb0485df084f3c8391f28d31ac1eb78478c67eda56ffb1cb238924b107c7ed8e1c72d37cdd6acccc75ae

        • C:\Users\Admin\AppData\Local\Temp\MSI96A6.tmp

          Filesize

          550KB

          MD5

          8259dc74965f3c8e91d152862580a773

          SHA1

          d2d029f9f9be25be3c5526c5a52449c034c673e1

          SHA256

          84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

          SHA512

          50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

        • C:\Users\Admin\AppData\Local\Temp\MSI98DF.tmp

          Filesize

          630KB

          MD5

          8ecff5e8777908818edd94721ddc349d

          SHA1

          a3ffcfcffae1b44261c1b1a64917ac898c40b9e2

          SHA256

          1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b

          SHA512

          8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

        • C:\Users\Admin\AppData\Local\Temp\upd905B.tmp

          Filesize

          1KB

          MD5

          91d0484055bd80300fbcc7e546bfd0a2

          SHA1

          8e8024a1db97cae891cea172035e0ecfb24579af

          SHA256

          89f930d218b2afc509d8d217ee6b6ff8d29c5772cf2e2234fc0f8a46ef1ee13c

          SHA512

          2ee8859014b416282ba1e0bc4510bcf7cf290b1ab4a1d8040e76981ff14fdae69935ce0f180653519c86c187d5f997b83420060f3b0101906529c13dba6e1579

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          07dbf607fdc270184154b89db909d55f

          SHA1

          d02d1c6ee1104f26e21c683e6bcbaaf22750504f

          SHA256

          9c6c49d4afd283c153800b627baf538a36732d2dd264a3f56d59822ad01576f4

          SHA512

          4a9314ff14416de9584ef5c7fe20793ecb606cae6b6004134c39bb2f2dcfede33aeebfd5d3c405ccf77cb5181161a8aab4e41c24f447afb08b94b7172bc1a329

        • C:\Users\Admin\AppData\Roaming\Honeygain\Honeygain 1.5.0.0\install\Honeygain_install.msi

          Filesize

          4.9MB

          MD5

          89ca17e0e21a5a0951899a87a50915c9

          SHA1

          6d3d6c65b422b6ff2e473580eefcb0e767123e49

          SHA256

          35c9e82daee05184b803a76276b556802da4b76119cb9dc649bd0bae9b3e00f6

          SHA512

          95dae81f840a4143a497e06b58ef5fafe41b246f8e1b76fc4911612d24d57d267ab1cfd0c3372a80f0d229bd4e3a6df07775d2f33c9995beecb5304faa281d69

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          e23bd91ad94ea37e02e57bf2d1f1f341

          SHA1

          ec718c4d1fe92dd20a940184383ba962fa3fc5e6

          SHA256

          475c91a8475878e668b166506d753c5cb2913232dc95ea3978f7d2d81fb9bdab

          SHA512

          59f34df297ccfff43b5423805b19cd07c89c89b3ed07cee8c5eba999e96bd596c206bdf51e040fe614f16fd936664972eec983df5ad681e6eeedb083b97687f6

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          6044c74fed1ddb325861bdafae47663f

          SHA1

          055449b958a1164b81ecf79be91d7a24c4117398

          SHA256

          a4fdc5e17a2cd7eb1cc5d28ffa7b9bcd3b6a37b3e48b9b9838f826c392458aa0

          SHA512

          8fe670990b124153cba868e4d3ba57980baa9c1c1a8b91fbb774a5791a524558251b231feb57aff8e40698b2d7c9ce8368f5f25004509a575baf452f7b6231cf

        • \??\c:\windows\system\spoolsv.exe

          Filesize

          206KB

          MD5

          046bbff7c2dc7487a54389a2da14e672

          SHA1

          2370cb9906eb50cbf450f494b78c8444d8a39fc5

          SHA256

          22636ab900c0f32640e9f7c281502482826603017d93f26d1ffa93e215571903

          SHA512

          720e3534abe838ca5dc5bbe9d4dc9284a6b4e1a02ca9e0fa96401d17545235f8dea0c1be488c60e0938440da4205354b666028ad057cc19839ae41ca8eb46885

        • \??\c:\windows\system\svchost.exe

          Filesize

          206KB

          MD5

          2a79c0addfc0fe399884c0004000896a

          SHA1

          5ff51e74351d722736e5e0a302eb926b4f8b1c31

          SHA256

          1f7b408a6087a61483d84ceed314658324ebf9cbeb9d332a8c8c92b326622677

          SHA512

          43e8cafaf13a88d9537e8db496199b80e2261b2a377d3c3678025bf08a8b1fec1df1be738c77a3147f547d899f05d1d1373201cd72f5dc00356385c90f4b3858