Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:41

General

  • Target

    2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe

  • Size

    796KB

  • MD5

    fa1ed73ab92df03d34b6282b0a40c12c

  • SHA1

    c6bb0cddba12973c6d56d08b603c0f46fa2b6869

  • SHA256

    e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df

  • SHA512

    496c7fc1514dadde0e7524823f1c5964519467edc4feb3d907a51e04a52a17495ff8186572a63c4f6a45abfd4b35206679cf0ac0705d52862c8857992e3f7e1b

  • SSDEEP

    12288:zENN+T5xYrllrU7QY67ubXcwafJcLln5QwnVWqqPIBONhxsU/Eb:Z5xolYQY67urP90r/xsU/Eb

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3252
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4604
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1120
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3876
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3644
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1080
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2356
            • C:\Windows\SysWOW64\at.exe
              at 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:436
            • C:\Windows\SysWOW64\at.exe
              at 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:516
            • C:\Windows\SysWOW64\at.exe
              at 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2996
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4972
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3484
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:592
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2100

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

          Filesize

          589KB

          MD5

          f8d95eb8c84c6de968a90496256180b1

          SHA1

          52ec2c2d0dfb4e0ee4cacf58c06308673caf7535

          SHA256

          d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de

          SHA512

          0b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e

        • C:\Users\Admin\AppData\Local\Temp\log.txt

          Filesize

          6KB

          MD5

          5ff7037e775f4a584d7480ef1b71c6e6

          SHA1

          c9e8377b8e23d17af3285f0c4ecd731c1ccc7427

          SHA256

          546c6bdbb0b72f756dcf519c6eded5d1ca76010d7543b50af83fa2911dffc01c

          SHA512

          3e97c3fa5501d14075b60efb1e3e0e842137b8513406a8a8501a65b55131fab59201bcf90543a6152fa9c4acb231304a7d60c56017c8530ceb5f78becdb6766d

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          c51e8794fdca57d2edafddf0b73641cd

          SHA1

          bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1

          SHA256

          3ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea

          SHA512

          cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          207KB

          MD5

          718c750d69934dea79fe17ffb5443448

          SHA1

          db6dd8d8d4235f9ba81111726867b2fde2fae3c1

          SHA256

          9afc1c4c1c57521480bf433a5aaa6038cd75b23f2d126d4a1c680cd983205f35

          SHA512

          779ebfd52e0067a1f0a227a430021e225ed2b08128c5c7d020dfe0572b94e64b190f1d13cd5808e8d581c233c9b0e9f81cf5ce0b0d962b00ec32cf33cd6342fe

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          e4ff0034434b8881f5ba37b7742dbf27

          SHA1

          f30d1e80726458220da6166be9522cdd217a5f7b

          SHA256

          aa3f054b290b529c36b5957b79feb17d77db54905140bc6d05bb948ec7103164

          SHA512

          f0d84e803d805d1af7513055d43f1481832d6f0cfbada74837b5be52a42110f0694e5d303e281edee1ce6c7f4acc142dd11f9980704786a6eec2c61b7652d448

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          dcef40148c62610cd2172a6b8ebb2a4f

          SHA1

          37cc72a2e98c430f14592a2a3c97d57ead437208

          SHA256

          a3cb662390da0139fb4f9517db75745a7c1d391e0a7f62ff19289840cdb290ba

          SHA512

          797e88e6717712cf953d7ae3726c8a915121d27dd103ccb55db22a644897d3682af13ddb4b1de9268e3da0ff294f09dae9d40348773cf138033797fcf50def96

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          4f447da3967c607c93134a51d8d9c359

          SHA1

          0cd62a641d719c7eadb901e467903631ad73c8a7

          SHA256

          9e83f3731b71068336400ff16bab70fed76cf1802a1cf8aba2c624e825f3e26c

          SHA512

          4280820ae0a9f4df57d43181cef57f43262440ec6627397fc5453a14c6d5d539c670b4cdc22eaee95c2dcbe57ef5f037f334e54523e65d8436b81d555e9c9914