Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
light1.83/light_setup.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
light1.83/light_setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
light1.83/lpk.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
light1.83/lpk.dll
Resource
win10v2004-20241007-en
General
-
Target
light1.83/light_setup.exe
-
Size
204.5MB
-
MD5
8ca9c75dbe92b22456344462960b695d
-
SHA1
5d861549732193dcf8c6e4298c810f84f385c6a2
-
SHA256
59efb62de4784de77b8be1440bf51d7ac6a22570bfca0d5eee4ab2f48002951b
-
SHA512
293a2ac1bad7d2e06d9f663aaf1fec903b45216e9836b23510528d952540b2eab30d4dc3d5cf2d26d14641ee0879f279c76ea8e444823cbc975afcc1f43411e8
-
SSDEEP
98304:PXNHvURvNHU4+faCzkC2z5+IYA15ZRa+xdxB1xc:v9Ult+iCzkJzPtjJxc
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BPFU\ImagePath = "C:\\Program Files\\Kcxa\\Oyat.exe" light_setup.exe -
Executes dropped EXE 1 IoCs
pid Process 728 light_setup.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Kcxa\duzose.exe light_setup.exe File created C:\Program Files\Kcxa\kusoce.exe light_setup.exe File created C:\Program Files\Kcxa\nesvus\pat.xml light_setup.exe File opened for modification C:\Program Files\Kcxa\nesvus\pat.xml light_setup.exe File created C:\Program Files\Kcxa\nesvus\tucesv.dll light_setup.exe File opened for modification C:\Program Files\Kcxa\nesvus\tucesv.dll light_setup.exe File opened for modification C:\Program Files\Kcxa\duzose.exe light_setup.exe File opened for modification C:\Program Files\Kcxa\kusoce.exe light_setup.exe File created C:\Program Files\Common Files\System\Ole DB\MSPat.xml light_setup.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\MSPat.xml light_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language light_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language light_setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 728 light_setup.exe 728 light_setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4492 wrote to memory of 728 4492 light_setup.exe 83 PID 4492 wrote to memory of 728 4492 light_setup.exe 83 PID 4492 wrote to memory of 728 4492 light_setup.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"1⤵
- Sets service image path in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exeC:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.9MB
MD55a69f8d867d35369f077e4dba2bc7985
SHA14bf504712b89829cd5719658fa4d56afedeff18d
SHA256b0faabe0014b6d916dad58752d8402d7d87b52c1b678634a1d1d3bec88fa1a32
SHA5123921761e70f5b45f426f76b48156c868fd56277ce9eb75016539477b5c92410a075944cb5c2c20110ce32721eecbb1c15e7172928efc104850d3016200fe4300
-
Filesize
32KB
MD573c433f44adc08aff21560458cd24351
SHA103410ba18d909999c0883814c44a60757eb59bd9
SHA256f70d57995c3ed5bad83d723e921f31618d5d6072ad5f785aa14ab16e710804f4
SHA51203bb5a7e10498841ed8f8bedee5bf088e18b1e7e4e91df731bc5034b6a88716707fa71812a8d5410e6fef46daeda44e3166d24157a1f010a07e2fa8f736576bb
-
Filesize
20.7MB
MD57eec1e3c3e1ff6bfb43c2cbf65b91393
SHA1b1e72cac40af7d4a7f4e3672b380c587b73aa1e0
SHA256081b533f004ee405453ff1c209df899e307d5a847a969a1b34386f1ac157d4b4
SHA51238328782fed00aca2d3eb67cd32fc1c91a8cc5d4d721cc1d36523212ee3aef6c086882ebf45cf794776fe83aebaec8dcf7ac390aacf35ae3f8617fe02e1295a1
-
Filesize
20.7MB
MD5750651b3564c00a3d983a1ad124cb250
SHA12935192a6c82ce294beb85800c656712af5262f9
SHA2562fd7950fb206bb482629871d66be07d69ff46457adc363b9f2ea00f599f92efe
SHA512a0267a0380388db235d8e0300e055120f48f308f539a4bfc57b97aaa4b48b62086ca842ab862cd541d89a8094ebf7c5b96ab3585fe6f6d648445cf2e991abda4
-
Filesize
2.6MB
MD5be55a91a726e2ad26293dde6eb1970a2
SHA164696a3fa96dcb9bea3aacc533a4b5c7eb7627aa
SHA256191ffd48ea2a53472f662bff4d83e4b3a5bf544722de57c8e00b25b4225c32aa
SHA512cbc55c1bbc15f0ced2ab19445d89d7d7953132d50a290d35c4aca5df5aba2c4c2fe85b6cef00db5978970ca3a52f4e98851ae16b9cfd90becf4c40ec6167dd43
-
Filesize
364B
MD55e717774540f75a0b64e51f3746a1d76
SHA11c1255f0869892bb8837d7763b8eef24df593633
SHA2563207b9643a165b6268db6303186d152efa592677837797ea5fd1f71553dd5598
SHA5125bf4098275938796d11a7aff176103bff3448b0fd32a3b398b9f36f8c43aa94b15964b8496d7af795ea6fe23579eedfd0e23f67133a6409844beba113a72c7a0