Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
light1.83/light_setup.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
light1.83/light_setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
light1.83/lpk.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
light1.83/lpk.dll
Resource
win10v2004-20241007-en
General
-
Target
light1.83/lpk.dll
-
Size
45KB
-
MD5
fcdc863503f8b1be2104614f948179fc
-
SHA1
71485de3e22c42df5f0c9e39f47420e48195fef5
-
SHA256
d80b59ded380078af93526a8fb78bf19ab05a924958b15a9fdcee8b0e31c3f3a
-
SHA512
ca0bf43bf2615e32a496a8cd65f2db8bee08c19da36310bc58a7f7dde8849d9aea610a054e3088a9c6bf0284400370806fd38e4e89ba54a35f0f13e8a9f6c2b9
-
SSDEEP
768:zojY9Pg68uUCS77GhGLhLpms1RZo9yHHojY9P:GmY6BS7LL18+o9yHSm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4508 hrl1160.tmp 1272 zebhau.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\zebhau.exe hrl1160.tmp File opened for modification C:\Windows\SysWOW64\zebhau.exe hrl1160.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1272 set thread context of 2748 1272 zebhau.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 1060 2748 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrl1160.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zebhau.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4852 wrote to memory of 5056 4852 rundll32.exe 82 PID 4852 wrote to memory of 5056 4852 rundll32.exe 82 PID 4852 wrote to memory of 5056 4852 rundll32.exe 82 PID 5056 wrote to memory of 4508 5056 rundll32.exe 83 PID 5056 wrote to memory of 4508 5056 rundll32.exe 83 PID 5056 wrote to memory of 4508 5056 rundll32.exe 83 PID 1272 wrote to memory of 2748 1272 zebhau.exe 85 PID 1272 wrote to memory of 2748 1272 zebhau.exe 85 PID 1272 wrote to memory of 2748 1272 zebhau.exe 85 PID 1272 wrote to memory of 2748 1272 zebhau.exe 85 PID 1272 wrote to memory of 2748 1272 zebhau.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\hrl1160.tmpC:\Users\Admin\AppData\Local\Temp\hrl1160.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4508
-
-
-
C:\Windows\SysWOW64\zebhau.exeC:\Windows\SysWOW64\zebhau.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 123⤵
- Program crash
PID:1060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 27481⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD54b5b96093cdd0eb372be9a459b2bc27e
SHA16c36841cabbf00bb365bddede0897fcc6338e68f
SHA256b3c425ac158293c36809f69d6c53cc4b77c6f14eb63c548320e280414ae7a4fa
SHA512cba45a987e23452f630790ae620876916710ecda846e5300be0f399ed57bc994cfd594b0a638d217af7a611a5c7c3430f6369f47f3b72403f3eb2fdff0e033fe