def77dec17108dc1cf940823eee4a83762a8e50dce9a2978abfaf5f1a6438ab4

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lqtxupdater.exe
Size

757KB
MD5

3c91c9b98e30cd339329114c26a7ed5f
SHA1

e952a3d915deddec7bfddba1c3500065663cc229
SHA256

def77dec17108dc1cf940823eee4a83762a8e50dce9a2978abfaf5f1a6438ab4
SHA512

cabc5be97ba196e89cf766013c036d4e96177fd7962f414eee12e103f5bcbc03be42f1c927384e067784c89ad640c532680c57228f07288ebdceda0cc1f449d1
SSDEEP

12288:PFUNDaE/9LlbRRaHIKhbBkSHgcUBEthBw4f+1uPCVe2z7grsunc:PFOa+PR+VhNkI1/thBrf+wIlgrtnc

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2924	lqtxupdater.exe
2980	icsys.icn.exe
2492	explorer.exe
2672	spoolsv.exe
2876	svchost.exe
2704	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
2204	lqtxupdater.exe
2204	lqtxupdater.exe
536	Process not Found
2980	icsys.icn.exe
2492	explorer.exe
2672	spoolsv.exe
2876	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	lqtxupdater.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqtxupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1620	schtasks.exe
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2492	explorer.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2492	explorer.exe
2876	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2204	lqtxupdater.exe
2204	lqtxupdater.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2492	explorer.exe
2492	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2876	svchost.exe
2876	svchost.exe
2704	spoolsv.exe
2704	spoolsv.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2924	2204	lqtxupdater.exe	30
PID 2204 wrote to memory of 2924	2204	lqtxupdater.exe	30
PID 2204 wrote to memory of 2924	2204	lqtxupdater.exe	30
PID 2204 wrote to memory of 2924	2204	lqtxupdater.exe	30
PID 2204 wrote to memory of 2980	2204	lqtxupdater.exe	31
PID 2204 wrote to memory of 2980	2204	lqtxupdater.exe	31
PID 2204 wrote to memory of 2980	2204	lqtxupdater.exe	31
PID 2204 wrote to memory of 2980	2204	lqtxupdater.exe	31
PID 2980 wrote to memory of 2492	2980	icsys.icn.exe	33
PID 2980 wrote to memory of 2492	2980	icsys.icn.exe	33
PID 2980 wrote to memory of 2492	2980	icsys.icn.exe	33
PID 2980 wrote to memory of 2492	2980	icsys.icn.exe	33
PID 2924 wrote to memory of 2812	2924	lqtxupdater.exe	34
PID 2924 wrote to memory of 2812	2924	lqtxupdater.exe	34
PID 2924 wrote to memory of 2812	2924	lqtxupdater.exe	34
PID 2812 wrote to memory of 2044	2812	cmd.exe	35
PID 2812 wrote to memory of 2044	2812	cmd.exe	35
PID 2812 wrote to memory of 2044	2812	cmd.exe	35
PID 2812 wrote to memory of 2652	2812	cmd.exe	36
PID 2812 wrote to memory of 2652	2812	cmd.exe	36
PID 2812 wrote to memory of 2652	2812	cmd.exe	36
PID 2812 wrote to memory of 2684	2812	cmd.exe	37
PID 2812 wrote to memory of 2684	2812	cmd.exe	37
PID 2812 wrote to memory of 2684	2812	cmd.exe	37
PID 2492 wrote to memory of 2672	2492	explorer.exe	38
PID 2492 wrote to memory of 2672	2492	explorer.exe	38
PID 2492 wrote to memory of 2672	2492	explorer.exe	38
PID 2492 wrote to memory of 2672	2492	explorer.exe	38
PID 2672 wrote to memory of 2876	2672	spoolsv.exe	39
PID 2672 wrote to memory of 2876	2672	spoolsv.exe	39
PID 2672 wrote to memory of 2876	2672	spoolsv.exe	39
PID 2672 wrote to memory of 2876	2672	spoolsv.exe	39
PID 2876 wrote to memory of 2704	2876	svchost.exe	40
PID 2876 wrote to memory of 2704	2876	svchost.exe	40
PID 2876 wrote to memory of 2704	2876	svchost.exe	40
PID 2876 wrote to memory of 2704	2876	svchost.exe	40
PID 2492 wrote to memory of 2960	2492	explorer.exe	41
PID 2492 wrote to memory of 2960	2492	explorer.exe	41
PID 2492 wrote to memory of 2960	2492	explorer.exe	41
PID 2492 wrote to memory of 2960	2492	explorer.exe	41
PID 2876 wrote to memory of 2728	2876	svchost.exe	42
PID 2876 wrote to memory of 2728	2876	svchost.exe	42
PID 2876 wrote to memory of 2728	2876	svchost.exe	42
PID 2876 wrote to memory of 2728	2876	svchost.exe	42
PID 2876 wrote to memory of 1620	2876	svchost.exe	46
PID 2876 wrote to memory of 1620	2876	svchost.exe	46
PID 2876 wrote to memory of 1620	2876	svchost.exe	46
PID 2876 wrote to memory of 1620	2876	svchost.exe	46
PID 2876 wrote to memory of 2320	2876	svchost.exe	48
PID 2876 wrote to memory of 2320	2876	svchost.exe	48
PID 2876 wrote to memory of 2320	2876	svchost.exe	48
PID 2876 wrote to memory of 2320	2876	svchost.exe	48

C:\Users\Admin\AppData\Local\Temp\lqtxupdater.exe
"C:\Users\Admin\AppData\Local\Temp\lqtxupdater.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- \??\c:\users\admin\appdata\local\temp\lqtxupdater.exe
  c:\users\admin\appdata\local\temp\lqtxupdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\lqtxupdater.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "c:\users\admin\appdata\local\temp\lqtxupdater.exe " MD5
      4⤵
      PID:2044
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2652
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2684
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:53 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:54 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:55 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
7082f17296b2217da88f08e1013f9a9d

SHA1
98d51a3fc233e139e389e8d7ed60a129ec558b45

SHA256
a2fa73703aa6763125f0fe4ba46d13c56f998d18598fab0459445407b65f16bb

SHA512
d7652bdd876256627a1691b848f7b99a247c21d2bc73a0d78cdf0ab2c77b9442a02599388c2e4133f540631a12c4911729839c6f4175bb520c5cc414659a9d17

Download Submit
\Users\Admin\AppData\Local\Temp\lqtxupdater.exe

Filesize
622KB

MD5
d16a88f2bd7691a3e148145a63fe1e69

SHA1
f2efbbcde0a85d206760bcfe2ec5266bf28d5a00

SHA256
287155f9fceef4c03354c75fba5a5f243e94627937a60f7075abb6133b350cac

SHA512
f70c59a79fa4ab5af24bdc24c2fd81b2405617b320d958cc767995e2b5af34c0169b9b1791ef943b299ee76de96683163aa64d1f7a497b0720c5c8113c6e84f9

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d58e79299422270192a1bb3151916f33

SHA1
f1a9f83b136bb09abc769aadb0d99eacba67b063

SHA256
a33ea21015120f5480973d55b38af8a39c4baca978b962433fcff7982f6de6c7

SHA512
618f72ad564c083d2663624e55ae486a23a907ff0e35c9e7ce7e2c6eb88dfc5e62b9002bb2dad85f9926ff64e89dc745ff536a4f4e327004429bd38e36ad19ab

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1f9a62a1e99644c23a4c97f3ecec145e

SHA1
554a50f66884495ce1fa6ecfb5f79b47ec789c60

SHA256
315b80fdde5d38a6aa21191b378475aa5fd77cd287938d7f4a0ceb0074f4346f

SHA512
e95ab34a794bb4a27290f42243cc3007bb9b303bd6269abc3cc2e1582d6f9196dd6bd186d271806bc7480c31f9d05b4dc0aea1046eca1cbb4506fe6f1ddc5326

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
3f4697d49297dc835b4f27126a7ebd41

SHA1
c3f39b9cff64ad7b0790b1437a4e8c34867cb2bc

SHA256
2a4953e8df9c92044e043dc474bb69863b12a61d6feeca2435b6856be5330549

SHA512
e4d7cc555c7f519217260e144db2098d1a9bfe153a451aa0ac2451a9bd0172314d3544788d33bbcbf15a6c50dfaf06f42a64bfeaf5b7b937b8f16632b8026ad1

Download Submit
memory/2204-11-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2204-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2704-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-52-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2876-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download