178d950e74dce8c1728c3b64614b775710f2dbdd72777358c5ceee81af0586f0

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Size

198KB
MD5

d41f2de16e192aa7f1d3edda64b00100
SHA1

a7660dc9467035723e383b4e81eb1011a67a905a
SHA256

611e3f76cd702a3d9f3877304732786001799c5769e70d7e2fc4646aa5e8b124
SHA512

763e877ec5d621f76f8b4e517939b6f77acf44389665895c53ba297dacab281725fa48c8e68f836d5e07631bbc42a6bb8ba7c0520ffc313fa3746a6254b57a3b
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalQ/HstlC2R7JbQwUxc:UsLqdufVUNDadE2R7Jsjq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

Processes:

restart.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2128 restart.exe
2788 icsys.icn.exe
2648 explorer.exe
2656 spoolsv.exe
2776 svchost.exe
2696 spoolsv.exe
Loads dropped DLL 6 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

3008 restart.exe
3008 restart.exe
2788 icsys.icn.exe
2648 explorer.exe
2656 spoolsv.exe
2776 svchost.exe

pid	process
2128	restart.exe
2788	icsys.icn.exe
2648	explorer.exe
2656	spoolsv.exe
2776	svchost.exe
2696	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exerestart.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	restart.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2508 schtasks.exe
1388 schtasks.exe
1028 schtasks.exe

pid	process
2508	schtasks.exe
1388	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
3008	restart.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2788	icsys.icn.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2648 explorer.exe
2776 svchost.exe
Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3008 restart.exe
3008 restart.exe
2788 icsys.icn.exe
2788 icsys.icn.exe
2648 explorer.exe
2648 explorer.exe
2656 spoolsv.exe
2656 spoolsv.exe
2776 svchost.exe
2776 svchost.exe
2696 spoolsv.exe
2696 spoolsv.exe

pid	process
2648	explorer.exe
2776	svchost.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3008 wrote to memory of 2128	3008	restart.exe	restart.exe
PID 3008 wrote to memory of 2128	3008	restart.exe	restart.exe
PID 3008 wrote to memory of 2128	3008	restart.exe	restart.exe
PID 3008 wrote to memory of 2128	3008	restart.exe	restart.exe
PID 3008 wrote to memory of 2788	3008	restart.exe	icsys.icn.exe
PID 3008 wrote to memory of 2788	3008	restart.exe	icsys.icn.exe
PID 3008 wrote to memory of 2788	3008	restart.exe	icsys.icn.exe
PID 3008 wrote to memory of 2788	3008	restart.exe	icsys.icn.exe
PID 2788 wrote to memory of 2648	2788	icsys.icn.exe	explorer.exe
PID 2788 wrote to memory of 2648	2788	icsys.icn.exe	explorer.exe
PID 2788 wrote to memory of 2648	2788	icsys.icn.exe	explorer.exe
PID 2788 wrote to memory of 2648	2788	icsys.icn.exe	explorer.exe
PID 2648 wrote to memory of 2656	2648	explorer.exe	spoolsv.exe
PID 2648 wrote to memory of 2656	2648	explorer.exe	spoolsv.exe
PID 2648 wrote to memory of 2656	2648	explorer.exe	spoolsv.exe
PID 2648 wrote to memory of 2656	2648	explorer.exe	spoolsv.exe
PID 2656 wrote to memory of 2776	2656	spoolsv.exe	svchost.exe
PID 2656 wrote to memory of 2776	2656	spoolsv.exe	svchost.exe
PID 2656 wrote to memory of 2776	2656	spoolsv.exe	svchost.exe
PID 2656 wrote to memory of 2776	2656	spoolsv.exe	svchost.exe
PID 2776 wrote to memory of 2696	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2696	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2696	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2696	2776	svchost.exe	spoolsv.exe
PID 2648 wrote to memory of 2176	2648	explorer.exe	Explorer.exe
PID 2648 wrote to memory of 2176	2648	explorer.exe	Explorer.exe
PID 2648 wrote to memory of 2176	2648	explorer.exe	Explorer.exe
PID 2648 wrote to memory of 2176	2648	explorer.exe	Explorer.exe
PID 2776 wrote to memory of 2508	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 2508	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 2508	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 2508	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1388	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1388	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1388	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1388	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1028	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1028	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1028	2776	svchost.exe	schtasks.exe
PID 2776 wrote to memory of 1028	2776	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe
"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe "
2⤵
- Executes dropped EXE
PID:2128

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:56 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:57 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:58 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2176

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
461148e8fdb03d6045a43d72f691ffde

SHA1
060a3847057e2c2d81af4d9961c027b45aa55074

SHA256
5fd3951aa6dbf030e7a02a3cc0b12b0be8fbd5e2d95000a479dab5ebba4018a1

SHA512
474fb6bb8fedf5c1d47baa8aa6499353df6211a914f79e97eb87cdbc651a9dcb3c3470a3d379e9470cfb1a91dfbc6939385d85a381933d6f2cea80788829b2b3

Download Submit
\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe
Filesize
63KB

MD5
8242ce426ad462eff02edae1487a6949

SHA1
9a4f382d427e0de729053535aaa3310cac5f087b

SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
449a96cec3aa2c7b038ee10cad14c615

SHA1
14c0d690251d6fca4645dddab2bdd8cd43ac7dd2

SHA256
7e92e7757b7093afcba38849b57671215dab5e384b1123d58d0aea5308d54cff

SHA512
8ec5e326b33760043f2fdd37491bf8b339b6049bbb2a332075822c59241af35ba1b49cac6200bb4cb03f3ca996689df7e9887197030d91db8eaa2c03614753a3

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
d9b9061a357b17bfeaa2ea5da013012b

SHA1
a347a897d5d25960a744c6c4ff9d10a2dc7c19ed

SHA256
059c72a3ad28eb170d04683b93cf73bb95491c4837b90795e1f8bb6af91fe582

SHA512
11ff821fb5d672afe96dd1c6dca834967ba8287ff134da49b140304da0ea87cca81d57440a817b2aaa6c84f025d5dceae6cd613d5e0c8dc995a3e34499fd6ece

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
069ae31f91b1d698c1d1ace641c214b5

SHA1
46b89c65f8c94e406c18ecdc8b59ef292b5d610c

SHA256
6ce7622287505a8d80f584d4e877dfca40a60b0d1213c0c385e3328308a1b2bf

SHA512
e6796f7b493261391ae1936f3b6279d87cde0d6fbb279b7abc051ea31be3e3ada828c338ed1511598a9eec195e8d6d001c328a3877cb563563005cf25001fd99

Download Submit
memory/2648-33-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2656-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-52-0x00000000007B0000-0x00000000007CF000-memory.dmp

Filesize
124KB

Download
memory/2788-24-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2788-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads