4ea64e7296b423c6ba91f3f850bae048cae8c3a4c6bb04540ff7af13de4c5120

General

Target

LostLife_1.52_dev.exe
Size

10.5MB
MD5

2ec2df314b2b6b63aa06847720ad17a5
SHA1

398d34073e0e0a86d8ae2e00cda97c818b66b3ee
SHA256

4ea64e7296b423c6ba91f3f850bae048cae8c3a4c6bb04540ff7af13de4c5120
SHA512

f997a37df7638372f29df9bd6159d540887d9a15a5d2714a75cf958fb7cc0ae499d49d83d85dfb4b2d896b11b563509b14aa689c0d2ae573cb8708aa7cda09e2
SSDEEP

196608:OMO3UEy7hmFkSMYMv2/gkBX143lIUlOLuQMPGnuzSDBTT:Ot3UEy7wFY2/gkB8gBMP1zSB

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LostLife_1.52_dev.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LostLife_1.52_dev.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	LostLife_1.52_dev.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	LostLife_1.52_dev.exe

C:\Users\Admin\AppData\Local\Temp\LostLife_1.52_dev.exe
"C:\Users\Admin\AppData\Local\Temp\LostLife_1.52_dev.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sol

Filesize
550B

MD5
a1e9e8aa51948d6405457a4cb44d0ad8

SHA1
e38f29dfa1599d7e9c9af785c30beefc6ab6f220

SHA256
cb86a683817d1318ee3b75b27a346c4eaf93ab5989320e9e2507d22c7bdd83cd

SHA512
4b1aed4a6b72c39665c98b627d53795d0615a46af9b1a3c20880aabae41d9e0872d9469cc33d191f33257f23845079498cfbdb2ceb410146440d51f31e50191b

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sol

Filesize
52B

MD5
265e345a2167e0a980c14ac99ed48911

SHA1
fe7f86554a4a8a03db9f473c5812c15782ccda66

SHA256
2169640d8f6191364e70c41960449bf1ceddeff21493a60fb26fb6da56571fe1

SHA512
d051afe47790575135312f3dada35a209886dd44780de87267ec8242aa069828b0a831c18c2f3987adcbf4ac2c1dd8c928e9be9e06d3a2825aee407688588ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sol

Filesize
346B

MD5
f1a59c091956a5699b7cfbf7b55ad081

SHA1
653167197e5f3404ea4c7b745124e1ddb6950725

SHA256
474a4e6260ce5c27f76f4f5b10951eaadf4a53b455257dbdfc9bd438903703e4

SHA512
0ec8eb65dffa057efff156cce4004ebe6d66a75aa87f2fbc58c3ab43411838b9dbbefb3eaf45e6d5ce0df1eb3290280b98e5bace8aefffa7ec6f65f4ed46e2c4

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sxx

Filesize
139B

MD5
3c35e6aa4c4d41d96c61a7ce66d749c9

SHA1
ef68070adb91d14e8bf19336dcd24f6068a67414

SHA256
903f2a0c2322c4c1f12042ea6936b9599a03592df5af4de43c10fb1b0dbc44cd

SHA512
0cd1f65784b628738d0f1b96bc8c2ad7d27545c08d2b7435025e18a0abb90cfa6701f933803fe1019b52c8ded3b94def6b4cdf4fa43c1dab6723884b0b9069f0

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sxx

Filesize
91B

MD5
5b87e2cfc5aafb9711810b40889e4ce0

SHA1
129e9f0a85d9f2ba83415be709eb81a02d4d2c90

SHA256
8bbb1f4f7cd5f70fadb6a06921b23223e78da3dcb96666ef9482789d5b966c79

SHA512
edbc214506e3922d0e29e625c6a56171b21ee9b09cf6d135a90faead45ba8793283ea108efa01f022921107549abbb563a7f46e628c496cce50da3d36d09ae28

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\TQ8QARTH\localhost\HLB02_Core_dev_1.52.sxx

Filesize
182B

MD5
6944f621b97615638a6453c8b859cdaa

SHA1
57f7f473ce05ac19b669bbfc40ae9f886357d418

SHA256
d46161aa404bc75c585d3445ea2c9375e8c2bd404e1892fdfacfcdef5fa6901d

SHA512
2c9c00508fee2766063b651f8ac58a0aa2dd6bbf457d475275736556a088d18da62bf4832eb46bf2bb7b937800c44eca90ec201d99e9cbfc6faa258a6627a32b

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\openssl\cache\RevocationCacheFile.dat

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit
memory/2156-551-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-550-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-552-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-554-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-553-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2156-658-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2156-659-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-660-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2156-661-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing