Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
light1.83/light_setup.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
light1.83/light_setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
light1.83/lpk.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
light1.83/lpk.dll
Resource
win10v2004-20241007-en
General
-
Target
light1.83/lpk.dll
-
Size
45KB
-
MD5
fcdc863503f8b1be2104614f948179fc
-
SHA1
71485de3e22c42df5f0c9e39f47420e48195fef5
-
SHA256
d80b59ded380078af93526a8fb78bf19ab05a924958b15a9fdcee8b0e31c3f3a
-
SHA512
ca0bf43bf2615e32a496a8cd65f2db8bee08c19da36310bc58a7f7dde8849d9aea610a054e3088a9c6bf0284400370806fd38e4e89ba54a35f0f13e8a9f6c2b9
-
SSDEEP
768:zojY9Pg68uUCS77GhGLhLpms1RZo9yHHojY9P:GmY6BS7LL18+o9yHSm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2784 hrlFB30.tmp 2788 zmxrwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2120 rundll32.exe 2120 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\zmxrwm.exe hrlFB30.tmp File opened for modification C:\Windows\SysWOW64\zmxrwm.exe hrlFB30.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2788 set thread context of 2680 2788 zmxrwm.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmxrwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2124 wrote to memory of 2120 2124 rundll32.exe 30 PID 2120 wrote to memory of 2784 2120 rundll32.exe 31 PID 2120 wrote to memory of 2784 2120 rundll32.exe 31 PID 2120 wrote to memory of 2784 2120 rundll32.exe 31 PID 2120 wrote to memory of 2784 2120 rundll32.exe 31 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33 PID 2788 wrote to memory of 2680 2788 zmxrwm.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmpC:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784
-
-
-
C:\Windows\SysWOW64\zmxrwm.exeC:\Windows\SysWOW64\zmxrwm.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD54b5b96093cdd0eb372be9a459b2bc27e
SHA16c36841cabbf00bb365bddede0897fcc6338e68f
SHA256b3c425ac158293c36809f69d6c53cc4b77c6f14eb63c548320e280414ae7a4fa
SHA512cba45a987e23452f630790ae620876916710ecda846e5300be0f399ed57bc994cfd594b0a638d217af7a611a5c7c3430f6369f47f3b72403f3eb2fdff0e033fe