lobshot | 15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/06/2023, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
Size

96KB
MD5

9315eb6ecab91d17c13e8e12c850fd1a
SHA1

412eed3de0dd1714b4b27d77dec8d653e6d604cf
SHA256

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228
SHA512

c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216
SSDEEP

1536:QX1tIEY/6mS2I4bD7jrFgkfTeXslrYNJJpnPEqQFXB00Gdhp4VjlK+I/QX205eBj:QX1tIM2IOXjdfTeXsirnPgu4PK+Iocc

Score

10^/10

lobshot backdoor persistence

Malware Config

Signatures

Detects Lobshot family 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023130-141.dat	family_lobshot
behavioral2/files/0x0009000000023130-143.dat	family_lobshot

Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot

Executes dropped EXE 1 IoCs

pid	Process
1928	service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4180	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3444	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
3444	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
1928	service.exe
1928	service.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4448	3444	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	85
PID 3444 wrote to memory of 4448	3444	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	85
PID 3444 wrote to memory of 4448	3444	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	85
PID 4448 wrote to memory of 4180	4448	cmd.exe	87
PID 4448 wrote to memory of 4180	4448	cmd.exe	87
PID 4448 wrote to memory of 4180	4448	cmd.exe	87
PID 4448 wrote to memory of 1928	4448	cmd.exe	88
PID 4448 wrote to memory of 1928	4448	cmd.exe	88
PID 4448 wrote to memory of 1928	4448	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
"C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe") & (start "" "C:\ProgramData\service.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4180
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cln_log.txt

Filesize
350B

MD5
e9b8e8b41eb4d053b4cecae83887fae7

SHA1
99da1f6aa20a7df8d32e887a3dad3e0e6e671fb8

SHA256
31822ccf1d74bd12ce5f729068860859124f5cc288f1a7712269290d7bca1a85

SHA512
3811c38a731fcb835cc4e4030be50c8dfb1fd9907308cf7bc617d5a15f0e9cda21bdede1a8dc6dc6e7f18f686d269c3e93ff87a36b29607539fff1b24d74c225

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit