178d950e74dce8c1728c3b64614b775710f2dbdd72777358c5ceee81af0586f0

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Size

198KB
MD5

d41f2de16e192aa7f1d3edda64b00100
SHA1

a7660dc9467035723e383b4e81eb1011a67a905a
SHA256

611e3f76cd702a3d9f3877304732786001799c5769e70d7e2fc4646aa5e8b124
SHA512

763e877ec5d621f76f8b4e517939b6f77acf44389665895c53ba297dacab281725fa48c8e68f836d5e07631bbc42a6bb8ba7c0520ffc313fa3746a6254b57a3b
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalQ/HstlC2R7JbQwUxc:UsLqdufVUNDadE2R7Jsjq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

restart.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3576 restart.exe
748 icsys.icn.exe
1616 explorer.exe
552 spoolsv.exe
2384 svchost.exe
3944 spoolsv.exe

pid	process
3576	restart.exe
748	icsys.icn.exe
1616	explorer.exe
552	spoolsv.exe
2384	svchost.exe
3944	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	restart.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

restart.exeicsys.icn.exe

pid	process
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
5100	restart.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe
748	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1616 explorer.exe
2384 svchost.exe
Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

5100 restart.exe
5100 restart.exe
748 icsys.icn.exe
748 icsys.icn.exe
1616 explorer.exe
1616 explorer.exe
552 spoolsv.exe
552 spoolsv.exe
2384 svchost.exe
2384 svchost.exe
3944 spoolsv.exe
3944 spoolsv.exe

pid	process
1616	explorer.exe
2384	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 5100 wrote to memory of 3576	5100	restart.exe	restart.exe
PID 5100 wrote to memory of 3576	5100	restart.exe	restart.exe
PID 5100 wrote to memory of 3576	5100	restart.exe	restart.exe
PID 5100 wrote to memory of 748	5100	restart.exe	icsys.icn.exe
PID 5100 wrote to memory of 748	5100	restart.exe	icsys.icn.exe
PID 5100 wrote to memory of 748	5100	restart.exe	icsys.icn.exe
PID 748 wrote to memory of 1616	748	icsys.icn.exe	explorer.exe
PID 748 wrote to memory of 1616	748	icsys.icn.exe	explorer.exe
PID 748 wrote to memory of 1616	748	icsys.icn.exe	explorer.exe
PID 1616 wrote to memory of 552	1616	explorer.exe	spoolsv.exe
PID 1616 wrote to memory of 552	1616	explorer.exe	spoolsv.exe
PID 1616 wrote to memory of 552	1616	explorer.exe	spoolsv.exe
PID 552 wrote to memory of 2384	552	spoolsv.exe	svchost.exe
PID 552 wrote to memory of 2384	552	spoolsv.exe	svchost.exe
PID 552 wrote to memory of 2384	552	spoolsv.exe	svchost.exe
PID 2384 wrote to memory of 3944	2384	svchost.exe	spoolsv.exe
PID 2384 wrote to memory of 3944	2384	svchost.exe	spoolsv.exe
PID 2384 wrote to memory of 3944	2384	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100

\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe
"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe "
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe
Filesize
63KB

MD5
8242ce426ad462eff02edae1487a6949

SHA1
9a4f382d427e0de729053535aaa3310cac5f087b

SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a

SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
8836cff3d465653f6a7de1cbb74c4676

SHA1
97d333b2ecdee27491584dc8739466b1d48b6f26

SHA256
8d63844a0b5b1390384c9b8f26c43279acf79e4b0ba16eda8bacf6bf352c3e36

SHA512
6e9d6f881f99bc91460eb33f0c471a89b7d9206241d3e20025a2eb4194189710916c59917b9d10e607dfa5b6f3976077dc9b1df83d3a27ed77328e13b39f6f17

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
449a96cec3aa2c7b038ee10cad14c615

SHA1
14c0d690251d6fca4645dddab2bdd8cd43ac7dd2

SHA256
7e92e7757b7093afcba38849b57671215dab5e384b1123d58d0aea5308d54cff

SHA512
8ec5e326b33760043f2fdd37491bf8b339b6049bbb2a332075822c59241af35ba1b49cac6200bb4cb03f3ca996689df7e9887197030d91db8eaa2c03614753a3

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
de8dce2bac0d1e6fd319faf8e9595985

SHA1
7522358cf69b4b460edcce191546795b0ab20979

SHA256
b4b72fe7cd88e34d1d70f4bf4f1adb3211987c9b49bbaa35e44a1a52bcfa0a82

SHA512
4fd3bdd770b23df98a87e02231e2986f35625eeaf55529fb91e3d575cc7da9bfab224466777ddb9f71289d862f863222903e5ee5041d9a4deef298f1ef3b32cf

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
71ca89300cf4b4971d4b35f60622b7e9

SHA1
fe146e9db231ca6481dbf364e55ae28b67a8fdaa

SHA256
acd415b1272d948182684121f9037167e05d16073518f40eecebff97034749a1

SHA512
f72b590871e47a67f1e43c0f0ee3f4c7983c577a682ad3c6b2f181d2e22456dd73d2c383084cdeaba9c69d80e7f55b122bbd68df770e26db378b3df468eb977c

Download Submit
memory/552-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/748-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download