ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a

General

Target

ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe
Size

1.7MB
MD5

efc06741329d629aecddd3f81c93bb86
SHA1

6bac2efcc90544ea5a57c50f17a37df3a21c7b9c
SHA256

ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a
SHA512

9bee2185fce5cb017429df2bc239d51424d90f1864bb770b1acf5a007cdc1648480c38a34b272b42a7c8bc032eef786c1608daf9ebe0cf6687538c35d7d5324e
SSDEEP

24576:cf7jgH4Sds/8pqNoJZvKKYIdM56ZRfnUNt/yO0NbH3vMvSaG3x:cf7x/8pTTv5IKnUCTj3vNaS

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ltq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ltq.sys"	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1532-0-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1532-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1532	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1532	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe
1532	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe
1532	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe
1532	ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe

C:\Users\Admin\AppData\Local\Temp\ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe
"C:\Users\Admin\AppData\Local\Temp\ba0247ab3f3d50b0073104d48905d0e9470d20d4c1cf49c5faff29f8aac79b4a.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ltq.sys

Filesize
22KB

MD5
5ed2ba11b521b57fe9ab62aa68ae3587

SHA1
74ac8eba2c2b4d2ed82717f50d6c92d0a92722c1

SHA256
155ffc196a38f8a7d3abbc17f384cc6da4ce2eee4b9f7d8b1346ed0d3152ddec

SHA512
639b03503659145ba79658463ec18193fbd8fe9bda6be34e81f335e8d6048f8845c7575a3f515b0f4ee7f4a3c7d466a57fe27232f9b7169b47d01209f50ca210

Download Submit
memory/1532-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-0-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1532-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads