178d950e74dce8c1728c3b64614b775710f2dbdd72777358c5ceee81af0586f0

Analysis

max time kernel
121s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Size

1.4MB
MD5

2b7a88c558a055878e72d6d96e2561bc
SHA1

5b5089e85992a32d77dc837f65dbde11c547184c
SHA256

446c40c07c4474244236bc50b498b2d61c5783bd2206d366ea10b332d0146622
SHA512

7de24aafd170bf58b716af7dd27158e444141ed3ecae8001f127d04d6cb103dc38d4db542c8b8c78c30a3174bcfee4886cb664c17a2900e2b06f539ef3b79541
SSDEEP

24576:PFOapLEWuIj9T0gR1U2vfVD8sA15qkJ1K3mbDQca9L32GYa:tdwfIj9T0ujvTO6L3L

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

cru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

4328 cru.exe
4864 icsys.icn.exe
2088 explorer.exe
4712 spoolsv.exe
4044 svchost.exe
4472 spoolsv.exe

pid	process
4328	cru.exe
4864	icsys.icn.exe
2088	explorer.exe
4712	spoolsv.exe
4044	svchost.exe
4472	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	CRU.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CRU.exeicsys.icn.exe

pid	process
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
3184	CRU.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
4864	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2088 explorer.exe
4044 svchost.exe

pid	process
2088	explorer.exe
4044	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

CRU.execru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3184	CRU.exe
3184	CRU.exe
4328	cru.exe
4864	icsys.icn.exe
4864	icsys.icn.exe
2088	explorer.exe
2088	explorer.exe
4712	spoolsv.exe
4712	spoolsv.exe
4044	svchost.exe
4044	svchost.exe
4472	spoolsv.exe
4472	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3184 wrote to memory of 4328	3184	CRU.exe	cru.exe
PID 3184 wrote to memory of 4328	3184	CRU.exe	cru.exe
PID 3184 wrote to memory of 4328	3184	CRU.exe	cru.exe
PID 3184 wrote to memory of 4864	3184	CRU.exe	icsys.icn.exe
PID 3184 wrote to memory of 4864	3184	CRU.exe	icsys.icn.exe
PID 3184 wrote to memory of 4864	3184	CRU.exe	icsys.icn.exe
PID 4864 wrote to memory of 2088	4864	icsys.icn.exe	explorer.exe
PID 4864 wrote to memory of 2088	4864	icsys.icn.exe	explorer.exe
PID 4864 wrote to memory of 2088	4864	icsys.icn.exe	explorer.exe
PID 2088 wrote to memory of 4712	2088	explorer.exe	spoolsv.exe
PID 2088 wrote to memory of 4712	2088	explorer.exe	spoolsv.exe
PID 2088 wrote to memory of 4712	2088	explorer.exe	spoolsv.exe
PID 4712 wrote to memory of 4044	4712	spoolsv.exe	svchost.exe
PID 4712 wrote to memory of 4044	4712	spoolsv.exe	svchost.exe
PID 4712 wrote to memory of 4044	4712	spoolsv.exe	svchost.exe
PID 4044 wrote to memory of 4472	4044	svchost.exe	spoolsv.exe
PID 4044 wrote to memory of 4472	4044	svchost.exe	spoolsv.exe
PID 4044 wrote to memory of 4472	4044	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184

\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe
"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe "
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\cru.exe
Filesize
1.2MB

MD5
0f69af48c32613f73c6acb87a7d18661

SHA1
0756ae84f3b58aec29f4b9a2888624ca879f7856

SHA256
0351a943ca93558ff36f74c3f0c768dceb724e833e282abcf1be5b2e71d5c67b

SHA512
2b30c079831a30683aabc0effa6bb60c84a960c2bcda1ce5da204bebc2050a359ec2cf36df426a0d227165afb9c4b9401fd0316b2504394c7876ed177fff2377

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
e53c22a8b56e7013c31fcd55916d791a

SHA1
aa9c7badab7389af6de3fb0ecb087dc1bda36e6b

SHA256
9ed8b61221da2b0dd43c41b8edac8390087e5e3433f90f2c3940196eab8b46a1

SHA512
6ac2069cfccb35334021f336ce954ed0e16b9e00ec4f3cfb0561d45f47d692e42388fadef0255c54ba7464d49d070e287c515139cc7649321089d0aa04366d63

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
675f0f11cf05839416bb2f5aa63abf57

SHA1
7ad8c389dbce01fe67856b2d66505a431950003a

SHA256
59cb0de967354149892cdde3bb65880f4c324f9c37813a69fd4690dbfed87e1a

SHA512
2c540f90dea8279b9394cdafb37f0b64f44b410372645d7e379d9f8863fa42ee19072edd28c87d2189f64f8dc51508ac725cfc5b7e594ac98795dedc2a131669

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
88f45fd9f0a63d7cc207ebca14105f00

SHA1
f616d12a28abf3eb974d9e3068a897a3448923ab

SHA256
c98019a70c5ec365e8475396df535974b4c4a2fc2d2d4ae729da78726a7da46e

SHA512
e4cdabab3c95906d361bfd80affa4860f8fbef58c0a03cd072f1c4805da8f9fb2536fec029960cb3ebddbb8385bf4cfaa60bc14bf745637539e59767f2089136

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
477bb0bdeeca95da89c147838cfb96aa

SHA1
46190b07411af014c5ff31b191b2966197349744

SHA256
e7221e9a161e1dc23f0eaf2328db530d93cd45becfe1874ccde6d6f351ce22bc

SHA512
0f4fc5346b8daa6fb159e5d1bf5ff8103355298d8c0d50718e2654947f067db5eac78ba5f9677a2486a88683c623dce9c7c312e04a80310e15b97b51a4d59a01

Download Submit
memory/3184-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3184-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4328-9-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4328-49-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4472-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4712-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download