Analysis

  • max time kernel
    142s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 20:51

General

  • Target

    light1.83/light_setup.exe

  • Size

    204.5MB

  • MD5

    8ca9c75dbe92b22456344462960b695d

  • SHA1

    5d861549732193dcf8c6e4298c810f84f385c6a2

  • SHA256

    59efb62de4784de77b8be1440bf51d7ac6a22570bfca0d5eee4ab2f48002951b

  • SHA512

    293a2ac1bad7d2e06d9f663aaf1fec903b45216e9836b23510528d952540b2eab30d4dc3d5cf2d26d14641ee0879f279c76ea8e444823cbc975afcc1f43411e8

  • SSDEEP

    98304:PXNHvURvNHU4+faCzkC2z5+IYA15ZRa+xdxB1xc:v9Ult+iCzkJzPtjJxc

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\Net.exe
      Net Stop PcaSvc
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 Stop PcaSvc
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2328
    • C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
      C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe

          Filesize

          2.6MB

          MD5

          be55a91a726e2ad26293dde6eb1970a2

          SHA1

          64696a3fa96dcb9bea3aacc533a4b5c7eb7627aa

          SHA256

          191ffd48ea2a53472f662bff4d83e4b3a5bf544722de57c8e00b25b4225c32aa

          SHA512

          cbc55c1bbc15f0ced2ab19445d89d7d7953132d50a290d35c4aca5df5aba2c4c2fe85b6cef00db5978970ca3a52f4e98851ae16b9cfd90becf4c40ec6167dd43

        • C:\Users\Admin\AppData\Local\Temp\g8BF49\setup.ini

          Filesize

          364B

          MD5

          5e717774540f75a0b64e51f3746a1d76

          SHA1

          1c1255f0869892bb8837d7763b8eef24df593633

          SHA256

          3207b9643a165b6268db6303186d152efa592677837797ea5fd1f71553dd5598

          SHA512

          5bf4098275938796d11a7aff176103bff3448b0fd32a3b398b9f36f8c43aa94b15964b8496d7af795ea6fe23579eedfd0e23f67133a6409844beba113a72c7a0

        • C:\Users\Public\Ypel\Aimu.exe

          Filesize

          20.7MB

          MD5

          027a6b8e19620e00ac4f3719e022b5ba

          SHA1

          8a7081fc6afa679a0237ad718fb763d685dbe327

          SHA256

          ae6ee3a125289bb3562b89b7014166db8c69ba81da10b69da61bcf30e1086480

          SHA512

          e9182116d8a9267c348ceae64a83f10724918e4657070c873a7d629a39f6f79bfca98fd676141071c9e4a24d627a80f83a46915dcbd4207791cd5c23c67487da

        • C:\Users\Public\Ypel\Jwwu\Aohcn.dll

          Filesize

          20.9MB

          MD5

          5224be6315e1747700bcff2ec7191c1e

          SHA1

          ee03a125c3f47948f2f2f3f13e51b50fb2870e01

          SHA256

          db6e89720418d699853a004eca4ef643b80e8f3349e68add4a1edfd482a5c489

          SHA512

          6c4445d885be8f425f074c41dacefe1abb79d75ca1e2d30970d7ba07680f5027d34e40a2d289164dbd83046961ddf87245c48427fd9383584a3c7ea6a5696424

        • C:\Users\Public\Ypel\Pixua.exe

          Filesize

          20.7MB

          MD5

          78d176cd101bec19c8e5a9ca23628509

          SHA1

          3cda6abc6d63062dade1162b1ddc72afdb107c79

          SHA256

          d02ba7536a0496150b457212e568cd5ad59c5d3d8c938a93201d28852259c317

          SHA512

          c58aa11951ddb8495092862c7d01beebd4337a47f2dccfcf8a81471983fd0b3c95c11cc1fde84056534ac92b11867f89a9267aeae7ca8feb883598cb6a47ef19

        • memory/2260-54-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

        • memory/2808-55-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB