lobshot | 15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04346899.exe
Size

96KB
MD5

9315eb6ecab91d17c13e8e12c850fd1a
SHA1

412eed3de0dd1714b4b27d77dec8d653e6d604cf
SHA256

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228
SHA512

c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216
SSDEEP

1536:QX1tIEY/6mS2I4bD7jrFgkfTeXslrYNJJpnPEqQFXB00Gdhp4VjlK+I/QX205eBj:QX1tIM2IOXjdfTeXsirnPgu4PK+Iocc

Score

10^/10

lobshot backdoor persistence

Malware Config

Signatures

Detects Lobshot family 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023104-142.dat	family_lobshot
behavioral2/files/0x000a000000023104-143.dat	family_lobshot

Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot

Executes dropped EXE 1 IoCs

pid	Process
640	service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	04346899.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4924	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1512	04346899.exe
1512	04346899.exe
640	service.exe
640	service.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4900	1512	04346899.exe	80
PID 1512 wrote to memory of 4900	1512	04346899.exe	80
PID 1512 wrote to memory of 4900	1512	04346899.exe	80
PID 4900 wrote to memory of 4924	4900	cmd.exe	82
PID 4900 wrote to memory of 4924	4900	cmd.exe	82
PID 4900 wrote to memory of 4924	4900	cmd.exe	82
PID 4900 wrote to memory of 640	4900	cmd.exe	83
PID 4900 wrote to memory of 640	4900	cmd.exe	83
PID 4900 wrote to memory of 640	4900	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\04346899.exe
"C:\Users\Admin\AppData\Local\Temp\04346899.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\04346899.exe") & (start "" "C:\ProgramData\service.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4924
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cln_log.txt

Filesize
350B

MD5
ee07a067e020e3b46bad59e5b3f6fd3c

SHA1
cf392f7ab455f14cbea4b5ad0bd21b3da793beb3

SHA256
daa0beb273f3542ddc203be8d5d3cc54d40193d24c1816546ac254ef53464adc

SHA512
5439f13d2b9008a4455c82aa2dde1a0d41115dd769cac9bad08c3434717f0c21d8d711a0c97cd4303f549bf169a562a075494e78db4f84fb0fd3722813211b48

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit