Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:36
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
796KB
-
MD5
fa1ed73ab92df03d34b6282b0a40c12c
-
SHA1
c6bb0cddba12973c6d56d08b603c0f46fa2b6869
-
SHA256
e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df
-
SHA512
496c7fc1514dadde0e7524823f1c5964519467edc4feb3d907a51e04a52a17495ff8186572a63c4f6a45abfd4b35206679cf0ac0705d52862c8857992e3f7e1b
-
SSDEEP
12288:zENN+T5xYrllrU7QY67ubXcwafJcLln5QwnVWqqPIBONhxsU/Eb:Z5xolYQY67urP90r/xsU/Eb
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x0007000000024210-59.dat family_mofksys behavioral1/files/0x0008000000024214-66.dat family_mofksys behavioral1/files/0x0008000000024216-75.dat family_mofksys behavioral1/files/0x0008000000024218-83.dat family_mofksys behavioral1/files/0x0009000000024217-94.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 5396 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 2232 icsys.icn.exe 772 explorer.exe 4516 spoolsv.exe 5988 svchost.exe 2404 spoolsv.exe 384 explorer.exe 1852 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 icsys.icn.exe 2232 icsys.icn.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe 772 explorer.exe 772 explorer.exe 5988 svchost.exe 5988 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 772 explorer.exe 5988 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 2232 icsys.icn.exe 2232 icsys.icn.exe 772 explorer.exe 772 explorer.exe 4516 spoolsv.exe 4516 spoolsv.exe 5988 svchost.exe 5988 svchost.exe 2404 spoolsv.exe 2404 spoolsv.exe 772 explorer.exe 772 explorer.exe 384 explorer.exe 384 explorer.exe 1852 svchost.exe 1852 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5688 wrote to memory of 5396 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 5688 wrote to memory of 5396 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 5688 wrote to memory of 5396 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 5688 wrote to memory of 2232 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 5688 wrote to memory of 2232 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 5688 wrote to memory of 2232 5688 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 87 PID 2232 wrote to memory of 772 2232 icsys.icn.exe 88 PID 2232 wrote to memory of 772 2232 icsys.icn.exe 88 PID 2232 wrote to memory of 772 2232 icsys.icn.exe 88 PID 772 wrote to memory of 4516 772 explorer.exe 90 PID 772 wrote to memory of 4516 772 explorer.exe 90 PID 772 wrote to memory of 4516 772 explorer.exe 90 PID 4516 wrote to memory of 5988 4516 spoolsv.exe 92 PID 4516 wrote to memory of 5988 4516 spoolsv.exe 92 PID 4516 wrote to memory of 5988 4516 spoolsv.exe 92 PID 5988 wrote to memory of 2404 5988 svchost.exe 93 PID 5988 wrote to memory of 2404 5988 svchost.exe 93 PID 5988 wrote to memory of 2404 5988 svchost.exe 93 PID 5988 wrote to memory of 3476 5988 svchost.exe 98 PID 5988 wrote to memory of 3476 5988 svchost.exe 98 PID 5988 wrote to memory of 3476 5988 svchost.exe 98 PID 4500 wrote to memory of 384 4500 cmd.exe 100 PID 4500 wrote to memory of 384 4500 cmd.exe 100 PID 4500 wrote to memory of 384 4500 cmd.exe 100 PID 4784 wrote to memory of 1852 4784 cmd.exe 101 PID 4784 wrote to memory of 1852 4784 cmd.exe 101 PID 4784 wrote to memory of 1852 4784 cmd.exe 101 PID 5988 wrote to memory of 6036 5988 svchost.exe 119 PID 5988 wrote to memory of 6036 5988 svchost.exe 119 PID 5988 wrote to memory of 6036 5988 svchost.exe 119 PID 5988 wrote to memory of 628 5988 svchost.exe 122 PID 5988 wrote to memory of 628 5988 svchost.exe 122 PID 5988 wrote to memory of 628 5988 svchost.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5688 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5396
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Windows\SysWOW64\at.exeat 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\SysWOW64\at.exeat 08:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:6036
-
-
C:\Windows\SysWOW64\at.exeat 08:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:628
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize589KB
MD5f8d95eb8c84c6de968a90496256180b1
SHA152ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA5120b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e
-
Filesize
6KB
MD576c291ca73ead8003d50ec0c6bc64c68
SHA19a2bec8d53f7578559dbf312ff5ad972157c3b37
SHA2564b52db3421aa2dd9d82ae0e2954a15f84695461b7a34d898606afbceb284da7b
SHA5122bedd21cc83850807b8a9a237fb31ef20f6ea6931ce4a7b53157e42b6a3d5f75c8698a84ca089b0c4bfe67ecbf48edbd878792477cca2cf7b8bf7210393c52dc
-
Filesize
206KB
MD5c51e8794fdca57d2edafddf0b73641cd
SHA1bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1
SHA2563ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea
SHA512cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d
-
Filesize
206KB
MD552669d51f668c98b328cf3083c79fd25
SHA1a735f61d43ff9ec0e058615566d4e7008a3c1ff5
SHA256345d98e49a315383ebcd4c42035aa1da3ab0cfef101668ae6afb5357dde6ffbf
SHA51251da21ccd09877954ce8d119eeba860100cbf9311c423e68df7047130787cc77309d6b5c5f95b523b5053388648135ff6732ff8b00852658b12ff35d8d7a8270
-
Filesize
207KB
MD5f6fe7787aa988593b76ad83627aea5ac
SHA1590844a0efcf7994e3bf83f84380d8df82f05307
SHA2565dcc2a9945302607bf83039993e1809d31e0c14bdb0ed01bfaea4ee8f9795870
SHA512cf3c3c6a30ce8cba7ab3c43d162cd950e2d0cadd1eaaacad676c86d0997c1baa98db3b14f419b8e048d2f8e626acabc1ff38b91bd29eb5a66eed3513f0e7ad03
-
Filesize
206KB
MD5d0da6bff6beea67bfde6e2e7b2c899f0
SHA1bda28206173b4d42e01f6d5a6e3d7853d0ab7150
SHA2563c3678b5c738e05647a3569a2a302834d11ed91ecc74340260b5b7f2fe9b6566
SHA51280b379e976b48f903193469d2063314e6f99b311295ad2afdac4ef1530fb7354977b2a0fc7e6771e657b7b8da0f04361c383d89c3dba5d989a12b56a3ee77576
-
Filesize
207KB
MD51258e393d1a4a00d3d4a12db2cc59b52
SHA1df1a326c10292c1ce0c801902fea3df3f83316d4
SHA256637a4c94b50ab456b7b97608c9e698bb590651439a9ef6f2930da4f560dde9e2
SHA5120820a543fa426adb09da2dde0dd718983ab7e3e44d7d8af058801fc2bc70940afe84d356c3c4b15532bcde7faa8406ec1591ddfe4ce1e95a578b8da2f0aba875