lobshot | 15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HVNC.exe
Size

96KB
MD5

9315eb6ecab91d17c13e8e12c850fd1a
SHA1

412eed3de0dd1714b4b27d77dec8d653e6d604cf
SHA256

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228
SHA512

c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216
SSDEEP

1536:QX1tIEY/6mS2I4bD7jrFgkfTeXslrYNJJpnPEqQFXB00Gdhp4VjlK+I/QX205eBj:QX1tIM2IOXjdfTeXsirnPgu4PK+Iocc

Score

10^/10

lobshot backdoor persistence

Malware Config

Signatures

Detects Lobshot family 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023197-9.dat	family_lobshot
behavioral2/files/0x0007000000023197-10.dat	family_lobshot

Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot

Executes dropped EXE 1 IoCs

pid	Process
3528	service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	HVNC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3760	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2724	HVNC.exe
2724	HVNC.exe
3528	service.exe
3528	service.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1964	2724	HVNC.exe	80
PID 2724 wrote to memory of 1964	2724	HVNC.exe	80
PID 2724 wrote to memory of 1964	2724	HVNC.exe	80
PID 1964 wrote to memory of 3760	1964	cmd.exe	82
PID 1964 wrote to memory of 3760	1964	cmd.exe	82
PID 1964 wrote to memory of 3760	1964	cmd.exe	82
PID 1964 wrote to memory of 3528	1964	cmd.exe	86
PID 1964 wrote to memory of 3528	1964	cmd.exe	86
PID 1964 wrote to memory of 3528	1964	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\HVNC.exe
"C:\Users\Admin\AppData\Local\Temp\HVNC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\HVNC.exe") & (start "" "C:\ProgramData\service.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3760
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cln_log.txt

Filesize
350B

MD5
251b1178e9ffab73487240cc946cee62

SHA1
a21235a7289288936b2795dcadfaccf3c1027d29

SHA256
93af7ba1ff21e6accd6fdc3de6286b43dc542f15cf9b533fa85293f97ee4b263

SHA512
8b537bcb60e6a8f1c18d7952cbc016eb9a0d4d74aaafdfb90ba5be2fa00b6cc88f4983a9b73f4fabe147afa57375db49d1527a729f93d6aa95029b5aec5464e8

Download Submit
C:\ProgramData\cln_log.txt

Filesize
4KB

MD5
c7f06c4ebaf905bd56a0e5697b904e8e

SHA1
b5201c9300f04f5c3625b2b9ce41e0eaf4fd99b3

SHA256
44468c87aee11ff86ff82b755baed0edd9b71692d6ce942bf9cf073e73a6cc11

SHA512
59b6b1e5e167e64637be0ed3a7743b73df56254682466dc339113c580e16b29751d5205c823f0ada74da92fc6ae77e1d4e7f4bd8d184b5c8d46692582ad1432f

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit