Analysis Overview
SHA256
e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df
Threat Level: Known bad
The file 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Mofksys family
Mofksys
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Detects Mofksys worm
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 08:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 08:41
Reported
2025-05-20 08:44
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\svchost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\svchost.exe | N/A |
Mofksys
Mofksys family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\svchost.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"
\??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe RO
C:\Windows\SysWOW64\at.exe
at 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
C:\Windows\SysWOW64\at.exe
at 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 95.100.153.159:443 | www.bing.com | tcp |
| GB | 95.100.153.159:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe
| MD5 | f8d95eb8c84c6de968a90496256180b1 |
| SHA1 | 52ec2c2d0dfb4e0ee4cacf58c06308673caf7535 |
| SHA256 | d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de |
| SHA512 | 0b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e |
C:\Users\Admin\AppData\Local\Temp\log.txt
| MD5 | 5ff7037e775f4a584d7480ef1b71c6e6 |
| SHA1 | c9e8377b8e23d17af3285f0c4ecd731c1ccc7427 |
| SHA256 | 546c6bdbb0b72f756dcf519c6eded5d1ca76010d7543b50af83fa2911dffc01c |
| SHA512 | 3e97c3fa5501d14075b60efb1e3e0e842137b8513406a8a8501a65b55131fab59201bcf90543a6152fa9c4acb231304a7d60c56017c8530ceb5f78becdb6766d |
C:\Users\Admin\AppData\Local\icsys.icn.exe
| MD5 | c51e8794fdca57d2edafddf0b73641cd |
| SHA1 | bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1 |
| SHA256 | 3ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea |
| SHA512 | cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d |
C:\Windows\System\explorer.exe
| MD5 | e4ff0034434b8881f5ba37b7742dbf27 |
| SHA1 | f30d1e80726458220da6166be9522cdd217a5f7b |
| SHA256 | aa3f054b290b529c36b5957b79feb17d77db54905140bc6d05bb948ec7103164 |
| SHA512 | f0d84e803d805d1af7513055d43f1481832d6f0cfbada74837b5be52a42110f0694e5d303e281edee1ce6c7f4acc142dd11f9980704786a6eec2c61b7652d448 |
C:\Windows\System\spoolsv.exe
| MD5 | dcef40148c62610cd2172a6b8ebb2a4f |
| SHA1 | 37cc72a2e98c430f14592a2a3c97d57ead437208 |
| SHA256 | a3cb662390da0139fb4f9517db75745a7c1d391e0a7f62ff19289840cdb290ba |
| SHA512 | 797e88e6717712cf953d7ae3726c8a915121d27dd103ccb55db22a644897d3682af13ddb4b1de9268e3da0ff294f09dae9d40348773cf138033797fcf50def96 |
C:\Windows\System\svchost.exe
| MD5 | 4f447da3967c607c93134a51d8d9c359 |
| SHA1 | 0cd62a641d719c7eadb901e467903631ad73c8a7 |
| SHA256 | 9e83f3731b71068336400ff16bab70fed76cf1802a1cf8aba2c624e825f3e26c |
| SHA512 | 4280820ae0a9f4df57d43181cef57f43262440ec6627397fc5453a14c6d5d539c670b4cdc22eaee95c2dcbe57ef5f037f334e54523e65d8436b81d555e9c9914 |
C:\Users\Admin\AppData\Roaming\mrsys.exe
| MD5 | 718c750d69934dea79fe17ffb5443448 |
| SHA1 | db6dd8d8d4235f9ba81111726867b2fde2fae3c1 |
| SHA256 | 9afc1c4c1c57521480bf433a5aaa6038cd75b23f2d126d4a1c680cd983205f35 |
| SHA512 | 779ebfd52e0067a1f0a227a430021e225ed2b08128c5c7d020dfe0572b94e64b190f1d13cd5808e8d581c233c9b0e9f81cf5ce0b0d962b00ec32cf33cd6342fe |