Overview
overview
10Static
static
7Lowkey Cra...li.zip
windows7-x64
1Lowkey Cra...li.zip
windows10-2004-x64
1Lowkey Cra...ed.exe
windows7-x64
7Lowkey Cra...ed.exe
windows10-2004-x64
7Lowkey Cra...RU.exe
windows7-x64
10Lowkey Cra...RU.exe
windows10-2004-x64
10Lowkey Cra...rt.exe
windows7-x64
10Lowkey Cra...rt.exe
windows10-2004-x64
10Lowkey Cra...in.bat
windows7-x64
1Lowkey Cra...in.bat
windows10-2004-x64
1Lowkey Cra...in.txt
windows7-x64
1Lowkey Cra...in.txt
windows10-2004-x64
1Lowkey Cra...rl.dll
windows7-x64
1Lowkey Cra...rl.dll
windows10-2004-x64
1Lowkey Cra...d.1337
windows7-x64
3Lowkey Cra...d.1337
windows10-2004-x64
3Lowkey Cra...b1.dll
windows7-x64
1Lowkey Cra...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:54
Behavioral task
behavioral1
Sample
Lowkey Cracked_ BYKali.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Lowkey Cracked_ BYKali.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Lowkey Cracked_ BYKali/Loader_protected.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/CRU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Lowkey Cracked_ BYKali/Wifi & Bluetooth disabler/Disabler_Run_Admin.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Lowkey Cracked_ BYKali/last_login.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Lowkey Cracked_ BYKali/libcurl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Lowkey Cracked_ BYKali/lowkey-spoofer-fixed.1337
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
Lowkey Cracked_ BYKali/zlib1.dll
Resource
win10v2004-20240226-en
General
-
Target
Lowkey Cracked_ BYKali/Monitor Spoof/restart.exe
-
Size
198KB
-
MD5
d41f2de16e192aa7f1d3edda64b00100
-
SHA1
a7660dc9467035723e383b4e81eb1011a67a905a
-
SHA256
611e3f76cd702a3d9f3877304732786001799c5769e70d7e2fc4646aa5e8b124
-
SHA512
763e877ec5d621f76f8b4e517939b6f77acf44389665895c53ba297dacab281725fa48c8e68f836d5e07631bbc42a6bb8ba7c0520ffc313fa3746a6254b57a3b
-
SSDEEP
3072:UVqoCl/YgjxEufVU0TbTyDDalQ/HstlC2R7JbQwUxc:UsLqdufVUNDadE2R7Jsjq
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
restart.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3576 restart.exe 748 icsys.icn.exe 1616 explorer.exe 552 spoolsv.exe 2384 svchost.exe 3944 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe restart.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
restart.exeicsys.icn.exepid process 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 5100 restart.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe 748 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1616 explorer.exe 2384 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 5100 restart.exe 5100 restart.exe 748 icsys.icn.exe 748 icsys.icn.exe 1616 explorer.exe 1616 explorer.exe 552 spoolsv.exe 552 spoolsv.exe 2384 svchost.exe 2384 svchost.exe 3944 spoolsv.exe 3944 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
restart.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 5100 wrote to memory of 3576 5100 restart.exe restart.exe PID 5100 wrote to memory of 3576 5100 restart.exe restart.exe PID 5100 wrote to memory of 3576 5100 restart.exe restart.exe PID 5100 wrote to memory of 748 5100 restart.exe icsys.icn.exe PID 5100 wrote to memory of 748 5100 restart.exe icsys.icn.exe PID 5100 wrote to memory of 748 5100 restart.exe icsys.icn.exe PID 748 wrote to memory of 1616 748 icsys.icn.exe explorer.exe PID 748 wrote to memory of 1616 748 icsys.icn.exe explorer.exe PID 748 wrote to memory of 1616 748 icsys.icn.exe explorer.exe PID 1616 wrote to memory of 552 1616 explorer.exe spoolsv.exe PID 1616 wrote to memory of 552 1616 explorer.exe spoolsv.exe PID 1616 wrote to memory of 552 1616 explorer.exe spoolsv.exe PID 552 wrote to memory of 2384 552 spoolsv.exe svchost.exe PID 552 wrote to memory of 2384 552 spoolsv.exe svchost.exe PID 552 wrote to memory of 2384 552 spoolsv.exe svchost.exe PID 2384 wrote to memory of 3944 2384 svchost.exe spoolsv.exe PID 2384 wrote to memory of 3944 2384 svchost.exe spoolsv.exe PID 2384 wrote to memory of 3944 2384 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe"c:\users\admin\appdata\local\temp\lowkey cracked_ bykali\monitor spoof\restart.exe "2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Lowkey Cracked_ BYKali\Monitor Spoof\restart.exeFilesize
63KB
MD58242ce426ad462eff02edae1487a6949
SHA19a4f382d427e0de729053535aaa3310cac5f087b
SHA256b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
SHA512aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD58836cff3d465653f6a7de1cbb74c4676
SHA197d333b2ecdee27491584dc8739466b1d48b6f26
SHA2568d63844a0b5b1390384c9b8f26c43279acf79e4b0ba16eda8bacf6bf352c3e36
SHA5126e9d6f881f99bc91460eb33f0c471a89b7d9206241d3e20025a2eb4194189710916c59917b9d10e607dfa5b6f3976077dc9b1df83d3a27ed77328e13b39f6f17
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5449a96cec3aa2c7b038ee10cad14c615
SHA114c0d690251d6fca4645dddab2bdd8cd43ac7dd2
SHA2567e92e7757b7093afcba38849b57671215dab5e384b1123d58d0aea5308d54cff
SHA5128ec5e326b33760043f2fdd37491bf8b339b6049bbb2a332075822c59241af35ba1b49cac6200bb4cb03f3ca996689df7e9887197030d91db8eaa2c03614753a3
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD5de8dce2bac0d1e6fd319faf8e9595985
SHA17522358cf69b4b460edcce191546795b0ab20979
SHA256b4b72fe7cd88e34d1d70f4bf4f1adb3211987c9b49bbaa35e44a1a52bcfa0a82
SHA5124fd3bdd770b23df98a87e02231e2986f35625eeaf55529fb91e3d575cc7da9bfab224466777ddb9f71289d862f863222903e5ee5041d9a4deef298f1ef3b32cf
-
\??\c:\windows\resources\spoolsv.exeFilesize
135KB
MD571ca89300cf4b4971d4b35f60622b7e9
SHA1fe146e9db231ca6481dbf364e55ae28b67a8fdaa
SHA256acd415b1272d948182684121f9037167e05d16073518f40eecebff97034749a1
SHA512f72b590871e47a67f1e43c0f0ee3f4c7983c577a682ad3c6b2f181d2e22456dd73d2c383084cdeaba9c69d80e7f55b122bbd68df770e26db378b3df468eb977c
-
memory/552-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/748-46-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1616-20-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3944-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5100-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5100-47-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB