Overview
overview
10Static
static
7Lowkey Cra...li.zip
windows7-x64
1Lowkey Cra...li.zip
windows10-2004-x64
1Lowkey Cra...ed.exe
windows7-x64
7Lowkey Cra...ed.exe
windows10-2004-x64
7Lowkey Cra...RU.exe
windows7-x64
10Lowkey Cra...RU.exe
windows10-2004-x64
10Lowkey Cra...rt.exe
windows7-x64
10Lowkey Cra...rt.exe
windows10-2004-x64
10Lowkey Cra...in.bat
windows7-x64
1Lowkey Cra...in.bat
windows10-2004-x64
1Lowkey Cra...in.txt
windows7-x64
1Lowkey Cra...in.txt
windows10-2004-x64
1Lowkey Cra...rl.dll
windows7-x64
1Lowkey Cra...rl.dll
windows10-2004-x64
1Lowkey Cra...d.1337
windows7-x64
3Lowkey Cra...d.1337
windows10-2004-x64
3Lowkey Cra...b1.dll
windows7-x64
1Lowkey Cra...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:54
Behavioral task
behavioral1
Sample
Lowkey Cracked_ BYKali.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Lowkey Cracked_ BYKali.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win10v2004-20240226-en
General
-
Target
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
-
Size
1.4MB
-
MD5
2b7a88c558a055878e72d6d96e2561bc
-
SHA1
5b5089e85992a32d77dc837f65dbde11c547184c
-
SHA256
446c40c07c4474244236bc50b498b2d61c5783bd2206d366ea10b332d0146622
-
SHA512
7de24aafd170bf58b716af7dd27158e444141ed3ecae8001f127d04d6cb103dc38d4db542c8b8c78c30a3174bcfee4886cb664c17a2900e2b06f539ef3b79541
-
SSDEEP
24576:PFOapLEWuIj9T0gR1U2vfVD8sA15qkJ1K3mbDQca9L32GYa:tdwfIj9T0ujvTO6L3L
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
cru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4328 cru.exe 4864 icsys.icn.exe 2088 explorer.exe 4712 spoolsv.exe 4044 svchost.exe 4472 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe CRU.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CRU.exeicsys.icn.exepid process 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 3184 CRU.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 4864 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2088 explorer.exe 4044 svchost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
CRU.execru.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3184 CRU.exe 3184 CRU.exe 4328 cru.exe 4864 icsys.icn.exe 4864 icsys.icn.exe 2088 explorer.exe 2088 explorer.exe 4712 spoolsv.exe 4712 spoolsv.exe 4044 svchost.exe 4044 svchost.exe 4472 spoolsv.exe 4472 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
CRU.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3184 wrote to memory of 4328 3184 CRU.exe cru.exe PID 3184 wrote to memory of 4328 3184 CRU.exe cru.exe PID 3184 wrote to memory of 4328 3184 CRU.exe cru.exe PID 3184 wrote to memory of 4864 3184 CRU.exe icsys.icn.exe PID 3184 wrote to memory of 4864 3184 CRU.exe icsys.icn.exe PID 3184 wrote to memory of 4864 3184 CRU.exe icsys.icn.exe PID 4864 wrote to memory of 2088 4864 icsys.icn.exe explorer.exe PID 4864 wrote to memory of 2088 4864 icsys.icn.exe explorer.exe PID 4864 wrote to memory of 2088 4864 icsys.icn.exe explorer.exe PID 2088 wrote to memory of 4712 2088 explorer.exe spoolsv.exe PID 2088 wrote to memory of 4712 2088 explorer.exe spoolsv.exe PID 2088 wrote to memory of 4712 2088 explorer.exe spoolsv.exe PID 4712 wrote to memory of 4044 4712 spoolsv.exe svchost.exe PID 4712 wrote to memory of 4044 4712 spoolsv.exe svchost.exe PID 4712 wrote to memory of 4044 4712 spoolsv.exe svchost.exe PID 4044 wrote to memory of 4472 4044 svchost.exe spoolsv.exe PID 4044 wrote to memory of 4472 4044 svchost.exe spoolsv.exe PID 4044 wrote to memory of 4472 4044 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\CRU.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\cru.exe "2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\cru.exeFilesize
1.2MB
MD50f69af48c32613f73c6acb87a7d18661
SHA10756ae84f3b58aec29f4b9a2888624ca879f7856
SHA2560351a943ca93558ff36f74c3f0c768dceb724e833e282abcf1be5b2e71d5c67b
SHA5122b30c079831a30683aabc0effa6bb60c84a960c2bcda1ce5da204bebc2050a359ec2cf36df426a0d227165afb9c4b9401fd0316b2504394c7876ed177fff2377
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5e53c22a8b56e7013c31fcd55916d791a
SHA1aa9c7badab7389af6de3fb0ecb087dc1bda36e6b
SHA2569ed8b61221da2b0dd43c41b8edac8390087e5e3433f90f2c3940196eab8b46a1
SHA5126ac2069cfccb35334021f336ce954ed0e16b9e00ec4f3cfb0561d45f47d692e42388fadef0255c54ba7464d49d070e287c515139cc7649321089d0aa04366d63
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5675f0f11cf05839416bb2f5aa63abf57
SHA17ad8c389dbce01fe67856b2d66505a431950003a
SHA25659cb0de967354149892cdde3bb65880f4c324f9c37813a69fd4690dbfed87e1a
SHA5122c540f90dea8279b9394cdafb37f0b64f44b410372645d7e379d9f8863fa42ee19072edd28c87d2189f64f8dc51508ac725cfc5b7e594ac98795dedc2a131669
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD588f45fd9f0a63d7cc207ebca14105f00
SHA1f616d12a28abf3eb974d9e3068a897a3448923ab
SHA256c98019a70c5ec365e8475396df535974b4c4a2fc2d2d4ae729da78726a7da46e
SHA512e4cdabab3c95906d361bfd80affa4860f8fbef58c0a03cd072f1c4805da8f9fb2536fec029960cb3ebddbb8385bf4cfaa60bc14bf745637539e59767f2089136
-
\??\c:\windows\resources\spoolsv.exeFilesize
135KB
MD5477bb0bdeeca95da89c147838cfb96aa
SHA146190b07411af014c5ff31b191b2966197349744
SHA256e7221e9a161e1dc23f0eaf2328db530d93cd45becfe1874ccde6d6f351ce22bc
SHA5120f4fc5346b8daa6fb159e5d1bf5ff8103355298d8c0d50718e2654947f067db5eac78ba5f9677a2486a88683c623dce9c7c312e04a80310e15b97b51a4d59a01
-
memory/3184-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3184-48-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4328-9-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/4328-49-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/4472-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4712-46-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4864-13-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4864-47-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB