Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:36

General

  • Target

    2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe

  • Size

    796KB

  • MD5

    fa1ed73ab92df03d34b6282b0a40c12c

  • SHA1

    c6bb0cddba12973c6d56d08b603c0f46fa2b6869

  • SHA256

    e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df

  • SHA512

    496c7fc1514dadde0e7524823f1c5964519467edc4feb3d907a51e04a52a17495ff8186572a63c4f6a45abfd4b35206679cf0ac0705d52862c8857992e3f7e1b

  • SSDEEP

    12288:zENN+T5xYrllrU7QY67ubXcwafJcLln5QwnVWqqPIBONhxsU/Eb:Z5xolYQY67urP90r/xsU/Eb

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5688
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5396
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2232
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:772
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4516
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5988
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2404
            • C:\Windows\SysWOW64\at.exe
              at 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3476
            • C:\Windows\SysWOW64\at.exe
              at 08:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:6036
            • C:\Windows\SysWOW64\at.exe
              at 08:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:628
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4500
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:384
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4784
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1852

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

          Filesize

          589KB

          MD5

          f8d95eb8c84c6de968a90496256180b1

          SHA1

          52ec2c2d0dfb4e0ee4cacf58c06308673caf7535

          SHA256

          d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de

          SHA512

          0b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e

        • C:\Users\Admin\AppData\Local\Temp\log.txt

          Filesize

          6KB

          MD5

          76c291ca73ead8003d50ec0c6bc64c68

          SHA1

          9a2bec8d53f7578559dbf312ff5ad972157c3b37

          SHA256

          4b52db3421aa2dd9d82ae0e2954a15f84695461b7a34d898606afbceb284da7b

          SHA512

          2bedd21cc83850807b8a9a237fb31ef20f6ea6931ce4a7b53157e42b6a3d5f75c8698a84ca089b0c4bfe67ecbf48edbd878792477cca2cf7b8bf7210393c52dc

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          c51e8794fdca57d2edafddf0b73641cd

          SHA1

          bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1

          SHA256

          3ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea

          SHA512

          cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          52669d51f668c98b328cf3083c79fd25

          SHA1

          a735f61d43ff9ec0e058615566d4e7008a3c1ff5

          SHA256

          345d98e49a315383ebcd4c42035aa1da3ab0cfef101668ae6afb5357dde6ffbf

          SHA512

          51da21ccd09877954ce8d119eeba860100cbf9311c423e68df7047130787cc77309d6b5c5f95b523b5053388648135ff6732ff8b00852658b12ff35d8d7a8270

        • C:\Windows\System\explorer.exe

          Filesize

          207KB

          MD5

          f6fe7787aa988593b76ad83627aea5ac

          SHA1

          590844a0efcf7994e3bf83f84380d8df82f05307

          SHA256

          5dcc2a9945302607bf83039993e1809d31e0c14bdb0ed01bfaea4ee8f9795870

          SHA512

          cf3c3c6a30ce8cba7ab3c43d162cd950e2d0cadd1eaaacad676c86d0997c1baa98db3b14f419b8e048d2f8e626acabc1ff38b91bd29eb5a66eed3513f0e7ad03

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          d0da6bff6beea67bfde6e2e7b2c899f0

          SHA1

          bda28206173b4d42e01f6d5a6e3d7853d0ab7150

          SHA256

          3c3678b5c738e05647a3569a2a302834d11ed91ecc74340260b5b7f2fe9b6566

          SHA512

          80b379e976b48f903193469d2063314e6f99b311295ad2afdac4ef1530fb7354977b2a0fc7e6771e657b7b8da0f04361c383d89c3dba5d989a12b56a3ee77576

        • C:\Windows\System\svchost.exe

          Filesize

          207KB

          MD5

          1258e393d1a4a00d3d4a12db2cc59b52

          SHA1

          df1a326c10292c1ce0c801902fea3df3f83316d4

          SHA256

          637a4c94b50ab456b7b97608c9e698bb590651439a9ef6f2930da4f560dde9e2

          SHA512

          0820a543fa426adb09da2dde0dd718983ab7e3e44d7d8af058801fc2bc70940afe84d356c3c4b15532bcde7faa8406ec1591ddfe4ce1e95a578b8da2f0aba875