Overview
overview
10Static
static
7Lowkey Cra...li.zip
windows7-x64
1Lowkey Cra...li.zip
windows10-2004-x64
1Lowkey Cra...ed.exe
windows7-x64
7Lowkey Cra...ed.exe
windows10-2004-x64
7Lowkey Cra...RU.exe
windows7-x64
10Lowkey Cra...RU.exe
windows10-2004-x64
10Lowkey Cra...rt.exe
windows7-x64
10Lowkey Cra...rt.exe
windows10-2004-x64
10Lowkey Cra...in.bat
windows7-x64
1Lowkey Cra...in.bat
windows10-2004-x64
1Lowkey Cra...in.txt
windows7-x64
1Lowkey Cra...in.txt
windows10-2004-x64
1Lowkey Cra...rl.dll
windows7-x64
1Lowkey Cra...rl.dll
windows10-2004-x64
1Lowkey Cra...d.1337
windows7-x64
3Lowkey Cra...d.1337
windows10-2004-x64
3Lowkey Cra...b1.dll
windows7-x64
1Lowkey Cra...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:54
Behavioral task
behavioral1
Sample
Lowkey Cracked_ BYKali.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Lowkey Cracked_ BYKali.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win10v2004-20240226-en
General
-
Target
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
-
Size
198KB
-
MD5
d41f2de16e192aa7f1d3edda64b00100
-
SHA1
a7660dc9467035723e383b4e81eb1011a67a905a
-
SHA256
611e3f76cd702a3d9f3877304732786001799c5769e70d7e2fc4646aa5e8b124
-
SHA512
763e877ec5d621f76f8b4e517939b6f77acf44389665895c53ba297dacab281725fa48c8e68f836d5e07631bbc42a6bb8ba7c0520ffc313fa3746a6254b57a3b
-
SSDEEP
3072:UVqoCl/YgjxEufVU0TbTyDDalQ/HstlC2R7JbQwUxc:UsLqdufVUNDadE2R7Jsjq
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 6 IoCs
Processes:
restart.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2128 restart.exe 2788 icsys.icn.exe 2648 explorer.exe 2656 spoolsv.exe 2776 svchost.exe 2696 spoolsv.exe -
Loads dropped DLL 6 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 3008 restart.exe 3008 restart.exe 2788 icsys.icn.exe 2648 explorer.exe 2656 spoolsv.exe 2776 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exerestart.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe restart.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2508 schtasks.exe 1388 schtasks.exe 1028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exesvchost.exepid process 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 3008 restart.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2648 explorer.exe 2776 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3008 restart.exe 3008 restart.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2648 explorer.exe 2648 explorer.exe 2656 spoolsv.exe 2656 spoolsv.exe 2776 svchost.exe 2776 svchost.exe 2696 spoolsv.exe 2696 spoolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3008 wrote to memory of 2128 3008 restart.exe restart.exe PID 3008 wrote to memory of 2128 3008 restart.exe restart.exe PID 3008 wrote to memory of 2128 3008 restart.exe restart.exe PID 3008 wrote to memory of 2128 3008 restart.exe restart.exe PID 3008 wrote to memory of 2788 3008 restart.exe icsys.icn.exe PID 3008 wrote to memory of 2788 3008 restart.exe icsys.icn.exe PID 3008 wrote to memory of 2788 3008 restart.exe icsys.icn.exe PID 3008 wrote to memory of 2788 3008 restart.exe icsys.icn.exe PID 2788 wrote to memory of 2648 2788 icsys.icn.exe explorer.exe PID 2788 wrote to memory of 2648 2788 icsys.icn.exe explorer.exe PID 2788 wrote to memory of 2648 2788 icsys.icn.exe explorer.exe PID 2788 wrote to memory of 2648 2788 icsys.icn.exe explorer.exe PID 2648 wrote to memory of 2656 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2656 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2656 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2656 2648 explorer.exe spoolsv.exe PID 2656 wrote to memory of 2776 2656 spoolsv.exe svchost.exe PID 2656 wrote to memory of 2776 2656 spoolsv.exe svchost.exe PID 2656 wrote to memory of 2776 2656 spoolsv.exe svchost.exe PID 2656 wrote to memory of 2776 2656 spoolsv.exe svchost.exe PID 2776 wrote to memory of 2696 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2696 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2696 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2696 2776 svchost.exe spoolsv.exe PID 2648 wrote to memory of 2176 2648 explorer.exe Explorer.exe PID 2648 wrote to memory of 2176 2648 explorer.exe Explorer.exe PID 2648 wrote to memory of 2176 2648 explorer.exe Explorer.exe PID 2648 wrote to memory of 2176 2648 explorer.exe Explorer.exe PID 2776 wrote to memory of 2508 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 2508 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 2508 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 2508 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1388 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1388 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1388 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1388 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1028 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1028 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1028 2776 svchost.exe schtasks.exe PID 2776 wrote to memory of 1028 2776 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe "2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:56 /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:57 /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:58 /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5461148e8fdb03d6045a43d72f691ffde
SHA1060a3847057e2c2d81af4d9961c027b45aa55074
SHA2565fd3951aa6dbf030e7a02a3cc0b12b0be8fbd5e2d95000a479dab5ebba4018a1
SHA512474fb6bb8fedf5c1d47baa8aa6499353df6211a914f79e97eb87cdbc651a9dcb3c3470a3d379e9470cfb1a91dfbc6939385d85a381933d6f2cea80788829b2b3
-
\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exeFilesize
63KB
MD58242ce426ad462eff02edae1487a6949
SHA19a4f382d427e0de729053535aaa3310cac5f087b
SHA256b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
SHA512aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5449a96cec3aa2c7b038ee10cad14c615
SHA114c0d690251d6fca4645dddab2bdd8cd43ac7dd2
SHA2567e92e7757b7093afcba38849b57671215dab5e384b1123d58d0aea5308d54cff
SHA5128ec5e326b33760043f2fdd37491bf8b339b6049bbb2a332075822c59241af35ba1b49cac6200bb4cb03f3ca996689df7e9887197030d91db8eaa2c03614753a3
-
\Windows\Resources\spoolsv.exeFilesize
135KB
MD5d9b9061a357b17bfeaa2ea5da013012b
SHA1a347a897d5d25960a744c6c4ff9d10a2dc7c19ed
SHA256059c72a3ad28eb170d04683b93cf73bb95491c4837b90795e1f8bb6af91fe582
SHA51211ff821fb5d672afe96dd1c6dca834967ba8287ff134da49b140304da0ea87cca81d57440a817b2aaa6c84f025d5dceae6cd613d5e0c8dc995a3e34499fd6ece
-
\Windows\Resources\svchost.exeFilesize
135KB
MD5069ae31f91b1d698c1d1ace641c214b5
SHA146b89c65f8c94e406c18ecdc8b59ef292b5d610c
SHA2566ce7622287505a8d80f584d4e877dfca40a60b0d1213c0c385e3328308a1b2bf
SHA512e6796f7b493261391ae1936f3b6279d87cde0d6fbb279b7abc051ea31be3e3ada828c338ed1511598a9eec195e8d6d001c328a3877cb563563005cf25001fd99
-
memory/2648-33-0x0000000000310000-0x000000000032F000-memory.dmpFilesize
124KB
-
memory/2656-57-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2696-56-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2776-52-0x00000000007B0000-0x00000000007CF000-memory.dmpFilesize
124KB
-
memory/2788-24-0x00000000003A0000-0x00000000003BF000-memory.dmpFilesize
124KB
-
memory/2788-59-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3008-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3008-58-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB