Overview
overview
10Static
static
7Lowkey Cra...li.zip
windows7-x64
1Lowkey Cra...li.zip
windows10-2004-x64
1Lowkey Cra...ed.exe
windows7-x64
7Lowkey Cra...ed.exe
windows10-2004-x64
7Lowkey Cra...RU.exe
windows7-x64
10Lowkey Cra...RU.exe
windows10-2004-x64
10Lowkey Cra...rt.exe
windows7-x64
10Lowkey Cra...rt.exe
windows10-2004-x64
10Lowkey Cra...in.bat
windows7-x64
1Lowkey Cra...in.bat
windows10-2004-x64
1Lowkey Cra...in.txt
windows7-x64
1Lowkey Cra...in.txt
windows10-2004-x64
1Lowkey Cra...rl.dll
windows7-x64
1Lowkey Cra...rl.dll
windows10-2004-x64
1Lowkey Cra...d.1337
windows7-x64
3Lowkey Cra...d.1337
windows10-2004-x64
3Lowkey Cra...b1.dll
windows7-x64
1Lowkey Cra...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
35s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:54
Behavioral task
behavioral1
Sample
Lowkey Cracked_ BYKali.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Lowkey Cracked_ BYKali.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win10v2004-20240226-en
General
-
Target
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
-
Size
1.4MB
-
MD5
2b7a88c558a055878e72d6d96e2561bc
-
SHA1
5b5089e85992a32d77dc837f65dbde11c547184c
-
SHA256
446c40c07c4474244236bc50b498b2d61c5783bd2206d366ea10b332d0146622
-
SHA512
7de24aafd170bf58b716af7dd27158e444141ed3ecae8001f127d04d6cb103dc38d4db542c8b8c78c30a3174bcfee4886cb664c17a2900e2b06f539ef3b79541
-
SSDEEP
24576:PFOapLEWuIj9T0gR1U2vfVD8sA15qkJ1K3mbDQca9L32GYa:tdwfIj9T0ujvTO6L3L
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
cru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1788 cru.exe 2372 icsys.icn.exe 2640 explorer.exe 2760 spoolsv.exe 2780 svchost.exe 2692 spoolsv.exe -
Loads dropped DLL 6 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 2108 CRU.exe 2108 CRU.exe 2372 icsys.icn.exe 2640 explorer.exe 2760 spoolsv.exe 2780 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe CRU.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exesvchost.exepid process 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2108 CRU.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2640 explorer.exe 2780 svchost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
CRU.execru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2108 CRU.exe 2108 CRU.exe 1788 cru.exe 2372 icsys.icn.exe 2372 icsys.icn.exe 2640 explorer.exe 2640 explorer.exe 2760 spoolsv.exe 2760 spoolsv.exe 2780 svchost.exe 2780 svchost.exe 2692 spoolsv.exe 2692 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2108 wrote to memory of 1788 2108 CRU.exe cru.exe PID 2108 wrote to memory of 1788 2108 CRU.exe cru.exe PID 2108 wrote to memory of 1788 2108 CRU.exe cru.exe PID 2108 wrote to memory of 1788 2108 CRU.exe cru.exe PID 2108 wrote to memory of 2372 2108 CRU.exe icsys.icn.exe PID 2108 wrote to memory of 2372 2108 CRU.exe icsys.icn.exe PID 2108 wrote to memory of 2372 2108 CRU.exe icsys.icn.exe PID 2108 wrote to memory of 2372 2108 CRU.exe icsys.icn.exe PID 2372 wrote to memory of 2640 2372 icsys.icn.exe explorer.exe PID 2372 wrote to memory of 2640 2372 icsys.icn.exe explorer.exe PID 2372 wrote to memory of 2640 2372 icsys.icn.exe explorer.exe PID 2372 wrote to memory of 2640 2372 icsys.icn.exe explorer.exe PID 2640 wrote to memory of 2760 2640 explorer.exe spoolsv.exe PID 2640 wrote to memory of 2760 2640 explorer.exe spoolsv.exe PID 2640 wrote to memory of 2760 2640 explorer.exe spoolsv.exe PID 2640 wrote to memory of 2760 2640 explorer.exe spoolsv.exe PID 2760 wrote to memory of 2780 2760 spoolsv.exe svchost.exe PID 2760 wrote to memory of 2780 2760 spoolsv.exe svchost.exe PID 2760 wrote to memory of 2780 2760 spoolsv.exe svchost.exe PID 2760 wrote to memory of 2780 2760 spoolsv.exe svchost.exe PID 2780 wrote to memory of 2692 2780 svchost.exe spoolsv.exe PID 2780 wrote to memory of 2692 2780 svchost.exe spoolsv.exe PID 2780 wrote to memory of 2692 2780 svchost.exe spoolsv.exe PID 2780 wrote to memory of 2692 2780 svchost.exe spoolsv.exe PID 2640 wrote to memory of 2668 2640 explorer.exe Explorer.exe PID 2640 wrote to memory of 2668 2640 explorer.exe Explorer.exe PID 2640 wrote to memory of 2668 2640 explorer.exe Explorer.exe PID 2640 wrote to memory of 2668 2640 explorer.exe Explorer.exe PID 2780 wrote to memory of 2588 2780 svchost.exe schtasks.exe PID 2780 wrote to memory of 2588 2780 svchost.exe schtasks.exe PID 2780 wrote to memory of 2588 2780 svchost.exe schtasks.exe PID 2780 wrote to memory of 2588 2780 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe "2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:56 /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\cru.exeFilesize
1.2MB
MD50f69af48c32613f73c6acb87a7d18661
SHA10756ae84f3b58aec29f4b9a2888624ca879f7856
SHA2560351a943ca93558ff36f74c3f0c768dceb724e833e282abcf1be5b2e71d5c67b
SHA5122b30c079831a30683aabc0effa6bb60c84a960c2bcda1ce5da204bebc2050a359ec2cf36df426a0d227165afb9c4b9401fd0316b2504394c7876ed177fff2377
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5675f0f11cf05839416bb2f5aa63abf57
SHA17ad8c389dbce01fe67856b2d66505a431950003a
SHA25659cb0de967354149892cdde3bb65880f4c324f9c37813a69fd4690dbfed87e1a
SHA5122c540f90dea8279b9394cdafb37f0b64f44b410372645d7e379d9f8863fa42ee19072edd28c87d2189f64f8dc51508ac725cfc5b7e594ac98795dedc2a131669
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD578e801e7877757620e7e008ec9a130ee
SHA19d3b7b5cc5f2e1dbee2f4b8a203cb6de53379839
SHA256241da1c70ce54d3cd8c3654d8638b12d4640a608d82c8d2dea92a37eee002adc
SHA512c56f5d29d1baee2a63a801f8f5c961a98bc5bd2b0b94a050a16c72c95cf42690750b384f64205bda3a01d52dd04f6a42330dfc3a3ced41131729a17d41a92632
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD52f0eb017a93ae4db7f213c4fb2d8fe42
SHA16983d7b6a3ccc5f443e7f867ff14d62363162166
SHA25661ae191d69633ab85b1dbb7bcf4bbad0711ce4dc80a6c471493e7cb0bd536d26
SHA512fcdbced3a6891426f50a935809aeb03a3afe9607b3f1b0074b6d44d3152f67b5ae3db1cb9fad513e7d400fa21b649c1603fa9bf3aa04ce5dccfada0b8c2e4405
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5ca9e661f10b738d5a72af419b787d42f
SHA1e1a9050b4acfc0f91350ce9af312a9da799f5049
SHA256cf361042f488cb3b1a180e5dac38e22ad5f8d3a8a307f61a0e0576f06b8a0ddc
SHA5125ca527af95cc65f519180a96175bdac2447ff3970e4d80f5b275179888e25d632cc5d8d8f688267c4c9598f6aab9317812c4ee6be589004eb8447be1aa65e1dc
-
memory/1788-10-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1788-60-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1788-61-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/2108-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2108-59-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2372-23-0x00000000002B0000-0x00000000002CF000-memory.dmpFilesize
124KB
-
memory/2372-58-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2640-35-0x0000000000380000-0x000000000039F000-memory.dmpFilesize
124KB
-
memory/2692-57-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2760-45-0x0000000000390000-0x00000000003AF000-memory.dmpFilesize
124KB