b45ef6fefedcc3ce7e4622f8544bbf5b500fbf9197ec713217fdfe5bb530656b

Analysis

max time kernel
144s
max time network
165s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 18:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LostLife_1.51/LostLife_1.51/lib/doc/xxx.xml
Size

187KB
MD5

6b06a04e6772f1fe64bdd969bb1e8593
SHA1

2f8f3f8a6242cd2d8615d28ea000accb52b6e426
SHA256

9c61ff785527bd42e65db0fcfcd58ee8c840566b72977004a30cfc43d70d4839
SHA512

33eeac3a4dd39621046cd1b179f1f3c57418c8b47fac699ca672e09cc74b5e4aab654dbeb9f46677af569945dcab14378eaf097c8d0598b7cbe992d3e60ef081
SSDEEP

3072:H3R3DK7gURqrEji2dANC2AVb6jcmLTQCebs1y9Xz:99gpVujcmHQCebsk9Xz

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394913879"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d782d97eabd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f9684199b2f7a4a86f864ecc4ec016b00000000020000000000106600000001000020000000bb06ac9069f22fe784acf436a762fd81221c03d4e40ef59df3f625e2983e217b000000000e8000000002000020000000593308caebad09cb6d047760eaf4469ccb119acebfa0e696a9898d74a93344e7200000006f4bee3b42f92534c77c97fc440de76bf45f1306f6f00b86dff1f429c45c37cf400000003e006e5902cb0e961b0c24e06b08015a76eddd92aad16ca5d08fba154f4f64f21be81dd86666d4e5ffb727ecd819c9d05ffc00c0448cfd8323d098926ef8011c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f9684199b2f7a4a86f864ecc4ec016b00000000020000000000106600000001000020000000f8918689d8290b94934db8ab95fd4a14b3bcf2f54426af80ea212019ede14739000000000e8000000002000020000000da0264103ad11c68bf927bc53eacada0acd45ae69170d2b74a2f7ead70508296900000007f9b202e3e979551bb4f9556efbed9f70bba1a7eae52504d0bd30e231526e84f1addd99faa7360882fa5065d27f9341d07e81f9533a416452f7d462c18463805b4baaa0af49eb04ad77a3d261aed41d68a67d366a2536103a1cdb74002c614f1ddba80bcc953fbc9200b26d277999a2d37651568f308c1880f077ee9aa19b3ea24963b993f11d58699a404cd5acbf89e40000000e344c51b10ca3d36ca3a4fd59f86dfd876bd7d1fa9f6c917d9628362c44a6a099144d178b38116810ab581f0a8bb9f36e8e6c68226b256c6290b656d9cc9baee	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8F74CE1-1771-11EE-80E4-F6780A61CDA7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1488	1304	MSOXMLED.EXE	27
PID 1304 wrote to memory of 1488	1304	MSOXMLED.EXE	27
PID 1304 wrote to memory of 1488	1304	MSOXMLED.EXE	27
PID 1304 wrote to memory of 1488	1304	MSOXMLED.EXE	27
PID 1488 wrote to memory of 1316	1488	iexplore.exe	28
PID 1488 wrote to memory of 1316	1488	iexplore.exe	28
PID 1488 wrote to memory of 1316	1488	iexplore.exe	28
PID 1488 wrote to memory of 1316	1488	iexplore.exe	28
PID 1316 wrote to memory of 900	1316	IEXPLORE.EXE	29
PID 1316 wrote to memory of 900	1316	IEXPLORE.EXE	29
PID 1316 wrote to memory of 900	1316	IEXPLORE.EXE	29
PID 1316 wrote to memory of 900	1316	IEXPLORE.EXE	29

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\LostLife_1.51\LostLife_1.51\lib\doc\xxx.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cfa16d1707f893d165dfcd22086022a

SHA1
372a74e1d171de3444dd3cf846ce0dec042bf8f8

SHA256
1754c37364687e6bdbd2ee9f2b6517bae1a452abfa537ef1ac285359f1842bb3

SHA512
879a9d5583825a2de119fd3c54d4a7a6c50687df286b9633320b2683954d837ed7fe8133b4a19551cd10c0e749e85c8dd3a442d965779b36fafa4b5ff2bc6f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
baf86257cbaef12b5e8669812e8189b4

SHA1
1fa23722cd215330f936fd89af2677adcb23fbf7

SHA256
70db76b7ee12a623347f6b7bdc2d741f7729bc2fa38be4e18eca70bb0feaec8b

SHA512
72c0f6a8d0d522a11b0a7bc73982ca5abafc6dcca71bcdf282b4044d86ebf55b0cc89ed4f4d78b1c878b1b34ae1ff0e62bc8c34cb3fa9547ad84b4a9ea938dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83aa254f08164a2972a9857c026220ae

SHA1
9934f3f2aafa7dd14e86ed5dd51491ce8149cebc

SHA256
12411859da0a526e12a2ea2a7417324c93fcf2e096c76cb751ed1efd69a91b10

SHA512
16e76f9b27fca78f1d02123e0b88a4775affe24698fa6008c963f00dbb1c9f20c5faf2914f65978a9300d442a7e94e27faf300ab307067373e845fd7a80c83e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0013fc2f3452cb7d9d765c9d673677f

SHA1
16b30a3f17e83ba8003865db38fc00d1f48def69

SHA256
9aa4ecd1909021803bb7d3c4b3d17ba38d85e4753169c94ec112e8bbb8677c3a

SHA512
3501e9f5db6ebbffb385eed8ae11575e863aeb19b25a05409a88420ae7f92d2d4d406090eee0dbb49e2fad774930730fc79c98d59a204316971e6b16acd9e4c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0a5e674b3d184494a90e06b5f184390

SHA1
00a7bf5de4cbd8ffbf690f8b6f6d1b1a2323e38f

SHA256
2a30d2b9aa643ed09ae5f187311dc099f59af8bb635e22abff9fd077f80003e3

SHA512
ad0de0101c8f6c0a5022be38324cc8212e245e90b17c2550256a3e20f8a6518e94a8e9a6b5d3dc3b8e1cbe1001bc0f3a4db23d604428e760c454a3ed92c665cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dba6e8aa0b2e50066ee611b335bfa11a

SHA1
79709531a568d87785b4d2243386f94afbd6b987

SHA256
05cfa4004463c1f337dd65b766ec2cbaf80d1434539e7e87343defa2b5632a98

SHA512
496749385a5ca027eb6efb3901bee6a4475a608a5d78ca56dd91018518b4c2e95fc27133d8b8a9d58777665be015c2e6b3899bc2c1492bfe9e7bff2b051c16eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7e2ff46be4cc27ecb25b99b01999e87

SHA1
3a1494d1b059a436e330bcc278b33a23304ad916

SHA256
d56635554d87a4f8c85fb44cc1708de07c036b755755a1faadb648e2d3270f52

SHA512
fbe4d2b61a749a90803d07f54a58f3d0bfbdfb2e5b8a3447fad80748719bdd274634aaf1bd970d37f655af5c6b063f5423d28487ae69a5301171be674f1c671a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f79831973306e227009f9f03b2d889dd

SHA1
b3c64316a2318b8d1810daef534b3bf1d738167d

SHA256
fa404d99d14484f730c6bd410b3963eff51f3f5af67448345f60af0c3218a8eb

SHA512
63963ac2d6c3ea7297d87c8038862945e9b40e1f486552bffee903b1644ef785280f884d8cf7734b47bd2759491f9a61562eb24b56e8a8c1e11e149f2c014d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b9b889dd81cce563c542020f1fad296

SHA1
93641155c7332637f06e64e09dac128ecf452b69

SHA256
af9ffa0254f31a50aca56a2228460e70afd12671075b025b7385702d4a9481a5

SHA512
40d70a8f7d1674ca8bda28bbda8a5abd8012a0ef005fa3efe370c8f73dfe22a91b4abbf30599727d61e112e6b1a041e1efbe8fa9a01b76d5549fddf470e27967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66C1.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6955.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2BWIE81Q.txt

Filesize
608B

MD5
4071223c729208c5890311dfd3746739

SHA1
b3c307db12c2b92a4950f5b7ef923b6ff073e252

SHA256
0ec3c8b077a6ad212e242f33aba50ef028902b216a3881037dee0c67f0b85edb

SHA512
6925641a6a514b9389627feb679e451364b2ddc6d9c2bad667c6d2dab0d145a81eb69a883f5c9c470b377f7448ac61df9c1641257d2d00b23747246ace8d770b

Download Submit