337839269a3be5d60e52de93be53f93cab86a88cb6b331ab0d1322b32e17d83b

Analysis

max time kernel
91s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/09/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lobotomz.exe
Size

438KB
MD5

f713bc9b842e94a0712a0dc0f3a58cce
SHA1

d5c2dc86593248eac098a27e9c3ba6350f46a6fb
SHA256

337839269a3be5d60e52de93be53f93cab86a88cb6b331ab0d1322b32e17d83b
SHA512

c4cef32f25527a984ac613b174bcba2996795526c328e00003977e090551f0accb2aef37838e75a474d92f760b97223324bab8bb0bf177d856d4d3b449d3099b
SSDEEP

1536:N1PbVOwHQGMoivnfOv7SzMFEIePmtu/Et7v1tEYMHGWpUrrWoOTJfuVmyLUQ7wVY:N1PbVvxeeMstW4rqDu7qY

Score

7^/10

bootkit discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies system executable filetype association 2 TTPs 47 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Lobotomz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1040	3736	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lobotomz.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.group	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000560-0000-0010-8000-00AA006D2EA4}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590098-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4954E0D0-FBC7-11D1-8410-006008C3FBFC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7A5CA45-3E53-46B8-9D9D-BA9CACE47A62}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\OfficeTheme	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F60170D6-43CA-47A4-88BF-F782728E1C87}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp1\shell\PlayWithVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\msrating.dll	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19640.1000_neutral_neutral_cw5n1h2txyewy\ActivatableClassId	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5717D6C-8DBF-4852-B7D8-C003EE09541F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.ogv	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe!App	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{981DC77E-CE21-3753-92DA-3C4A0CC7AA44}\4.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E2846B45-3A42-3A7F-88A2-5010B87050B4}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rat	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dolby.dd-raw	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.eps\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC29A660-30E3-11D0-9E69-00C04FD7C15B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30217F3C-E8FA-416B-ABA6-BF0BD3B79321}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B58397F5-56C3-3492-9B54-1FD260CD5FA6}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.16.0.22000_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\FESearchUI.AppX9tq9yhf12m1rvayzj19ytcq5dbf8	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CE7E6FDB-9CAA-3431-A81C-A687DED63821}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmltemplate\shell\Open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\GLOXFile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0388-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.opus	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Office.Interop.OneNote.Application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShow.8\shell\Print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B92EB61-CBC1-11D3-8C2D-00A0CC37B591}\1.2\HelpDir	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\explorer.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD101-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{196BAB51-2C67-485A-A74F-557182263013}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CA277DB-FE42-53B1-AE3B-098E51FA6A9B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.System.Update.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.6\Protocol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB01-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\Protocol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF.1\DocObject	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\Conversion\Readable\Main	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0DE86A55-2BAA-11CF-A229-00AA003D7352}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C101D-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3110756066-2507771734-389907848-353554127-1230786711-3973453966-120447785\Children	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.ProvTool.Provisioning.1\Shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ContentDirectory.item.videoItem\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.m3u\AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{381BE070-999B-3575-ADC6-68FC392AF3D3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5270F448-EF1E-3313-A4DA-03AE4E5340E3}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\play\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\PlayWithVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71F96464-78F3-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\docxfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CapturePicker_10.0.19580.1000_neutral__cw5n1h2txyewy\ActivatableClassId	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0380-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104BD-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 1060	3736	Lobotomz.exe	79
PID 3736 wrote to memory of 1060	3736	Lobotomz.exe	79
PID 3736 wrote to memory of 1060	3736	Lobotomz.exe	79
PID 1060 wrote to memory of 3520	1060	cmd.exe	81
PID 1060 wrote to memory of 3520	1060	cmd.exe	81
PID 1060 wrote to memory of 3520	1060	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\Lobotomz.exe
"C:\Users\Admin\AppData\Local\Temp\Lobotomz.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCR /f
    3⤵
    - Modifies system executable filetype association
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1664
  2⤵
  - Program crash
  PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3736 -ip 3736
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3736-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/3736-1-0x0000000000E00000-0x0000000000E74000-memory.dmp

Filesize
464KB

Download
memory/3736-2-0x0000000005E50000-0x00000000063F6000-memory.dmp

Filesize
5.6MB

Download
memory/3736-3-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/3736-4-0x00000000749C0000-0x0000000075171000-memory.dmp

Filesize
7.7MB

Download
memory/3736-5-0x00000000749C0000-0x0000000075171000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads