Overview
overview
10Static
static
7Lowkey Cra...li.zip
windows7-x64
1Lowkey Cra...li.zip
windows10-2004-x64
1Lowkey Cra...ed.exe
windows7-x64
7Lowkey Cra...ed.exe
windows10-2004-x64
7Lowkey Cra...RU.exe
windows7-x64
10Lowkey Cra...RU.exe
windows10-2004-x64
10Lowkey Cra...rt.exe
windows7-x64
10Lowkey Cra...rt.exe
windows10-2004-x64
10Lowkey Cra...in.bat
windows7-x64
1Lowkey Cra...in.bat
windows10-2004-x64
1Lowkey Cra...in.txt
windows7-x64
1Lowkey Cra...in.txt
windows10-2004-x64
1Lowkey Cra...rl.dll
windows7-x64
1Lowkey Cra...rl.dll
windows10-2004-x64
1Lowkey Cra...d.1337
windows7-x64
3Lowkey Cra...d.1337
windows10-2004-x64
3Lowkey Cra...b1.dll
windows7-x64
1Lowkey Cra...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:54
Behavioral task
behavioral1
Sample
Lowkey Cracked_ BYKali.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Lowkey Cracked_ BYKali.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win10v2004-20240226-en
General
-
Target
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
-
Size
1KB
-
MD5
eb7d7eca7af04125ed71b7c578d3fa73
-
SHA1
89eaeb800f81d8437ea7b8ee0086c4e5ba999336
-
SHA256
2b643ee0c64e8b915d4e38161cd6b8eb8664f43f88455b3d2da8ab7d271403b5
-
SHA512
e405ca6fc480e4c53754b13632166a7b810c0365003b2ea68d7a086901b15c59dfd086413d07057822b13373059ea55ba1d625c4c24ce9839fb7c153721fc8a2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.1337 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.1337\ = "1337_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\1337_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3020 wrote to memory of 2612 3020 cmd.exe rundll32.exe PID 3020 wrote to memory of 2612 3020 cmd.exe rundll32.exe PID 3020 wrote to memory of 2612 3020 cmd.exe rundll32.exe PID 2612 wrote to memory of 2720 2612 rundll32.exe AcroRd32.exe PID 2612 wrote to memory of 2720 2612 rundll32.exe AcroRd32.exe PID 2612 wrote to memory of 2720 2612 rundll32.exe AcroRd32.exe PID 2612 wrote to memory of 2720 2612 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\lowkey-spoofer-fixed.1337"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\lowkey-spoofer-fixed.13372⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\lowkey-spoofer-fixed.1337"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD57b1fcba1ed6f38b0533d15f1a41eb74b
SHA1ed913f2c2d275bc130477240dd95f7e3cbe0483f
SHA25657fed48b9bedcab9f7cc9e04e46f07e9b7658464d3f8d94792059d3b3f08a513
SHA51246d610a4a8c4495f50a91746e56992d38e4f5bda1aefaf7fe2456a734aa0e77b590a426eb8f2f57614e715fac7da4001ddcfb91e2ecdb092f3c89745cd965345