Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
-
Size
796KB
-
MD5
fa1ed73ab92df03d34b6282b0a40c12c
-
SHA1
c6bb0cddba12973c6d56d08b603c0f46fa2b6869
-
SHA256
e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df
-
SHA512
496c7fc1514dadde0e7524823f1c5964519467edc4feb3d907a51e04a52a17495ff8186572a63c4f6a45abfd4b35206679cf0ac0705d52862c8857992e3f7e1b
-
SSDEEP
12288:zENN+T5xYrllrU7QY67ubXcwafJcLln5QwnVWqqPIBONhxsU/Eb:Z5xolYQY67urP90r/xsU/Eb
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x00080000000240ba-59.dat family_mofksys behavioral1/files/0x00090000000240c8-66.dat family_mofksys behavioral1/files/0x00090000000240cf-75.dat family_mofksys behavioral1/files/0x00090000000240d5-83.dat family_mofksys behavioral1/files/0x000a0000000240d1-94.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 4604 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 1120 icsys.icn.exe 3876 explorer.exe 3644 spoolsv.exe 1080 svchost.exe 2356 spoolsv.exe 3484 explorer.exe 2100 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1120 icsys.icn.exe 1120 icsys.icn.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 1080 svchost.exe 1080 svchost.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3876 explorer.exe 1080 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 1120 icsys.icn.exe 1120 icsys.icn.exe 3876 explorer.exe 3876 explorer.exe 3644 spoolsv.exe 3644 spoolsv.exe 1080 svchost.exe 1080 svchost.exe 2356 spoolsv.exe 2356 spoolsv.exe 3876 explorer.exe 3876 explorer.exe 3484 explorer.exe 3484 explorer.exe 2100 svchost.exe 2100 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4604 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 3252 wrote to memory of 4604 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 3252 wrote to memory of 4604 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 85 PID 3252 wrote to memory of 1120 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 3252 wrote to memory of 1120 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 3252 wrote to memory of 1120 3252 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 86 PID 1120 wrote to memory of 3876 1120 icsys.icn.exe 87 PID 1120 wrote to memory of 3876 1120 icsys.icn.exe 87 PID 1120 wrote to memory of 3876 1120 icsys.icn.exe 87 PID 3876 wrote to memory of 3644 3876 explorer.exe 88 PID 3876 wrote to memory of 3644 3876 explorer.exe 88 PID 3876 wrote to memory of 3644 3876 explorer.exe 88 PID 3644 wrote to memory of 1080 3644 spoolsv.exe 89 PID 3644 wrote to memory of 1080 3644 spoolsv.exe 89 PID 3644 wrote to memory of 1080 3644 spoolsv.exe 89 PID 1080 wrote to memory of 2356 1080 svchost.exe 91 PID 1080 wrote to memory of 2356 1080 svchost.exe 91 PID 1080 wrote to memory of 2356 1080 svchost.exe 91 PID 1080 wrote to memory of 436 1080 svchost.exe 96 PID 1080 wrote to memory of 436 1080 svchost.exe 96 PID 1080 wrote to memory of 436 1080 svchost.exe 96 PID 4972 wrote to memory of 3484 4972 cmd.exe 98 PID 4972 wrote to memory of 3484 4972 cmd.exe 98 PID 4972 wrote to memory of 3484 4972 cmd.exe 98 PID 592 wrote to memory of 2100 592 cmd.exe 99 PID 592 wrote to memory of 2100 592 cmd.exe 99 PID 592 wrote to memory of 2100 592 cmd.exe 99 PID 1080 wrote to memory of 516 1080 svchost.exe 119 PID 1080 wrote to memory of 516 1080 svchost.exe 119 PID 1080 wrote to memory of 516 1080 svchost.exe 119 PID 1080 wrote to memory of 2996 1080 svchost.exe 122 PID 1080 wrote to memory of 2996 1080 svchost.exe 122 PID 1080 wrote to memory of 2996 1080 svchost.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Windows\SysWOW64\at.exeat 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:436
-
-
C:\Windows\SysWOW64\at.exeat 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:516
-
-
C:\Windows\SysWOW64\at.exeat 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
Filesize589KB
MD5f8d95eb8c84c6de968a90496256180b1
SHA152ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA5120b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e
-
Filesize
6KB
MD55ff7037e775f4a584d7480ef1b71c6e6
SHA1c9e8377b8e23d17af3285f0c4ecd731c1ccc7427
SHA256546c6bdbb0b72f756dcf519c6eded5d1ca76010d7543b50af83fa2911dffc01c
SHA5123e97c3fa5501d14075b60efb1e3e0e842137b8513406a8a8501a65b55131fab59201bcf90543a6152fa9c4acb231304a7d60c56017c8530ceb5f78becdb6766d
-
Filesize
206KB
MD5c51e8794fdca57d2edafddf0b73641cd
SHA1bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1
SHA2563ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea
SHA512cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d
-
Filesize
207KB
MD5718c750d69934dea79fe17ffb5443448
SHA1db6dd8d8d4235f9ba81111726867b2fde2fae3c1
SHA2569afc1c4c1c57521480bf433a5aaa6038cd75b23f2d126d4a1c680cd983205f35
SHA512779ebfd52e0067a1f0a227a430021e225ed2b08128c5c7d020dfe0572b94e64b190f1d13cd5808e8d581c233c9b0e9f81cf5ce0b0d962b00ec32cf33cd6342fe
-
Filesize
206KB
MD5e4ff0034434b8881f5ba37b7742dbf27
SHA1f30d1e80726458220da6166be9522cdd217a5f7b
SHA256aa3f054b290b529c36b5957b79feb17d77db54905140bc6d05bb948ec7103164
SHA512f0d84e803d805d1af7513055d43f1481832d6f0cfbada74837b5be52a42110f0694e5d303e281edee1ce6c7f4acc142dd11f9980704786a6eec2c61b7652d448
-
Filesize
206KB
MD5dcef40148c62610cd2172a6b8ebb2a4f
SHA137cc72a2e98c430f14592a2a3c97d57ead437208
SHA256a3cb662390da0139fb4f9517db75745a7c1d391e0a7f62ff19289840cdb290ba
SHA512797e88e6717712cf953d7ae3726c8a915121d27dd103ccb55db22a644897d3682af13ddb4b1de9268e3da0ff294f09dae9d40348773cf138033797fcf50def96
-
Filesize
206KB
MD54f447da3967c607c93134a51d8d9c359
SHA10cd62a641d719c7eadb901e467903631ad73c8a7
SHA2569e83f3731b71068336400ff16bab70fed76cf1802a1cf8aba2c624e825f3e26c
SHA5124280820ae0a9f4df57d43181cef57f43262440ec6627397fc5453a14c6d5d539c670b4cdc22eaee95c2dcbe57ef5f037f334e54523e65d8436b81d555e9c9914