178d950e74dce8c1728c3b64614b775710f2dbdd72777358c5ceee81af0586f0

Analysis

max time kernel
35s
max time network
20s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Size

1.4MB
MD5

2b7a88c558a055878e72d6d96e2561bc
SHA1

5b5089e85992a32d77dc837f65dbde11c547184c
SHA256

446c40c07c4474244236bc50b498b2d61c5783bd2206d366ea10b332d0146622
SHA512

7de24aafd170bf58b716af7dd27158e444141ed3ecae8001f127d04d6cb103dc38d4db542c8b8c78c30a3174bcfee4886cb664c17a2900e2b06f539ef3b79541
SSDEEP

24576:PFOapLEWuIj9T0gR1U2vfVD8sA15qkJ1K3mbDQca9L32GYa:tdwfIj9T0ujvTO6L3L

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

cru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1788 cru.exe
2372 icsys.icn.exe
2640 explorer.exe
2760 spoolsv.exe
2780 svchost.exe
2692 spoolsv.exe
Loads dropped DLL 6 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

2108 CRU.exe
2108 CRU.exe
2372 icsys.icn.exe
2640 explorer.exe
2760 spoolsv.exe
2780 svchost.exe

pid	process
1788	cru.exe
2372	icsys.icn.exe
2640	explorer.exe
2760	spoolsv.exe
2780	svchost.exe
2692	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	CRU.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2588 schtasks.exe

pid	process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2108	CRU.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2640	explorer.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2640 explorer.exe
2780 svchost.exe

pid	process
2640	explorer.exe
2780	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

CRU.execru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2108	CRU.exe
2108	CRU.exe
1788	cru.exe
2372	icsys.icn.exe
2372	icsys.icn.exe
2640	explorer.exe
2640	explorer.exe
2760	spoolsv.exe
2760	spoolsv.exe
2780	svchost.exe
2780	svchost.exe
2692	spoolsv.exe
2692	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2108 wrote to memory of 1788	2108	CRU.exe	cru.exe
PID 2108 wrote to memory of 1788	2108	CRU.exe	cru.exe
PID 2108 wrote to memory of 1788	2108	CRU.exe	cru.exe
PID 2108 wrote to memory of 1788	2108	CRU.exe	cru.exe
PID 2108 wrote to memory of 2372	2108	CRU.exe	icsys.icn.exe
PID 2108 wrote to memory of 2372	2108	CRU.exe	icsys.icn.exe
PID 2108 wrote to memory of 2372	2108	CRU.exe	icsys.icn.exe
PID 2108 wrote to memory of 2372	2108	CRU.exe	icsys.icn.exe
PID 2372 wrote to memory of 2640	2372	icsys.icn.exe	explorer.exe
PID 2372 wrote to memory of 2640	2372	icsys.icn.exe	explorer.exe
PID 2372 wrote to memory of 2640	2372	icsys.icn.exe	explorer.exe
PID 2372 wrote to memory of 2640	2372	icsys.icn.exe	explorer.exe
PID 2640 wrote to memory of 2760	2640	explorer.exe	spoolsv.exe
PID 2640 wrote to memory of 2760	2640	explorer.exe	spoolsv.exe
PID 2640 wrote to memory of 2760	2640	explorer.exe	spoolsv.exe
PID 2640 wrote to memory of 2760	2640	explorer.exe	spoolsv.exe
PID 2760 wrote to memory of 2780	2760	spoolsv.exe	svchost.exe
PID 2760 wrote to memory of 2780	2760	spoolsv.exe	svchost.exe
PID 2760 wrote to memory of 2780	2760	spoolsv.exe	svchost.exe
PID 2760 wrote to memory of 2780	2760	spoolsv.exe	svchost.exe
PID 2780 wrote to memory of 2692	2780	svchost.exe	spoolsv.exe
PID 2780 wrote to memory of 2692	2780	svchost.exe	spoolsv.exe
PID 2780 wrote to memory of 2692	2780	svchost.exe	spoolsv.exe
PID 2780 wrote to memory of 2692	2780	svchost.exe	spoolsv.exe
PID 2640 wrote to memory of 2668	2640	explorer.exe	Explorer.exe
PID 2640 wrote to memory of 2668	2640	explorer.exe	Explorer.exe
PID 2640 wrote to memory of 2668	2640	explorer.exe	Explorer.exe
PID 2640 wrote to memory of 2668	2640	explorer.exe	Explorer.exe
PID 2780 wrote to memory of 2588	2780	svchost.exe	schtasks.exe
PID 2780 wrote to memory of 2588	2780	svchost.exe	schtasks.exe
PID 2780 wrote to memory of 2588	2780	svchost.exe	schtasks.exe
PID 2780 wrote to memory of 2588	2780	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe
"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe "
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:56 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2668

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\cru.exe
Filesize
1.2MB

MD5
0f69af48c32613f73c6acb87a7d18661

SHA1
0756ae84f3b58aec29f4b9a2888624ca879f7856

SHA256
0351a943ca93558ff36f74c3f0c768dceb724e833e282abcf1be5b2e71d5c67b

SHA512
2b30c079831a30683aabc0effa6bb60c84a960c2bcda1ce5da204bebc2050a359ec2cf36df426a0d227165afb9c4b9401fd0316b2504394c7876ed177fff2377

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
675f0f11cf05839416bb2f5aa63abf57

SHA1
7ad8c389dbce01fe67856b2d66505a431950003a

SHA256
59cb0de967354149892cdde3bb65880f4c324f9c37813a69fd4690dbfed87e1a

SHA512
2c540f90dea8279b9394cdafb37f0b64f44b410372645d7e379d9f8863fa42ee19072edd28c87d2189f64f8dc51508ac725cfc5b7e594ac98795dedc2a131669

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
78e801e7877757620e7e008ec9a130ee

SHA1
9d3b7b5cc5f2e1dbee2f4b8a203cb6de53379839

SHA256
241da1c70ce54d3cd8c3654d8638b12d4640a608d82c8d2dea92a37eee002adc

SHA512
c56f5d29d1baee2a63a801f8f5c961a98bc5bd2b0b94a050a16c72c95cf42690750b384f64205bda3a01d52dd04f6a42330dfc3a3ced41131729a17d41a92632

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
2f0eb017a93ae4db7f213c4fb2d8fe42

SHA1
6983d7b6a3ccc5f443e7f867ff14d62363162166

SHA256
61ae191d69633ab85b1dbb7bcf4bbad0711ce4dc80a6c471493e7cb0bd536d26

SHA512
fcdbced3a6891426f50a935809aeb03a3afe9607b3f1b0074b6d44d3152f67b5ae3db1cb9fad513e7d400fa21b649c1603fa9bf3aa04ce5dccfada0b8c2e4405

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
ca9e661f10b738d5a72af419b787d42f

SHA1
e1a9050b4acfc0f91350ce9af312a9da799f5049

SHA256
cf361042f488cb3b1a180e5dac38e22ad5f8d3a8a307f61a0e0576f06b8a0ddc

SHA512
5ca527af95cc65f519180a96175bdac2447ff3970e4d80f5b275179888e25d632cc5d8d8f688267c4c9598f6aab9317812c4ee6be589004eb8447be1aa65e1dc

Download Submit
memory/1788-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1788-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1788-61-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2108-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-23-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2372-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-35-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2692-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-45-0x0000000000390000-0x00000000003AF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads