File name:

lem.exe

Full analysis: https://app.any.run/tasks/e7a65bb6-bbe7-4f42-ba0e-96c6b2abbe05
Verdict: Malicious activity
Analysis date: July 09, 2024, 15:32:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
ddr
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

325A606EA2DBEC3A47BEFB19F0AD3DA6

SHA1:

99F955CBD4D8287898FFA9F682EB1C78FCEF5374

SHA256:

3D739FABBA56B79F84E7CDDD183DFA59429F3C9FB9DA92EB0D6B75815EDACD53

SSDEEP:

49152:eJ1jRhp/I1M5FNEW2iRTQXAHXQOi8Hy2OkrzkVZ9h10JghgvNdd2Gbdbn40:ePjRhpw1M5ZqAHXLi8ROkkthVudrbdbL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • lem.exe (PID: 5732)
      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 1436)
      • findstr.exe (PID: 2916)
      • findstr.exe (PID: 1304)
      • findstr.exe (PID: 4832)

    • Steals credentials from Web Browsers

      • Bathrooms.pif (PID: 3108)

    • Starts CMD.EXE for self-deleting

      • Bathrooms.pif (PID: 3108)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)

    • Reads the date of Windows installation

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)
      • Bathrooms.pif (PID: 3108)

    • Executing commands from ".cmd" file

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Starts CMD.EXE for commands execution

      • lem.exe (PID: 5732)
      • cmd.exe (PID: 1660)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)
      • cmd.exe (PID: 5132)

    • Application launched itself

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Get information on the list of running processes

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Suspicious file concatenation

      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 1992)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • The executable file from the user directory is run by the CMD process

      • Bathrooms.pif (PID: 3108)
      • Bathrooms.pif (PID: 5624)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 5132)

    • Checks Windows Trust Settings

      • Bathrooms.pif (PID: 3108)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Bathrooms.pif (PID: 3108)

    • Searches for installed software

      • Bathrooms.pif (PID: 3108)

  • INFO

    • Checks supported languages

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)
      • Bathrooms.pif (PID: 5624)

    • Reads the computer name

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)

    • Process checks computer location settings

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)
      • Bathrooms.pif (PID: 3108)

    • Create files in a temporary directory

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)

    • Reads mouse settings

      • Bathrooms.pif (PID: 3108)
      • Bathrooms.pif (PID: 5624)

    • Reads product name

      • Bathrooms.pif (PID: 3108)

    • Reads Environment values

      • Bathrooms.pif (PID: 3108)

    • Creates files in the program directory

      • Bathrooms.pif (PID: 3108)

    • Checks proxy server information

      • Bathrooms.pif (PID: 3108)

    • Reads the machine GUID from the registry

      • Bathrooms.pif (PID: 3108)

    • Reads the software policy settings

      • Bathrooms.pif (PID: 3108)

    • Creates files or folders in the user directory

      • Bathrooms.pif (PID: 3108)

    • Reads CPU info

      • Bathrooms.pif (PID: 3108)

    • Manual execution by a user

      • lem.exe (PID: 3152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
27
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lem.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs bathrooms.pif timeout.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs lem.exe cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs bathrooms.pif no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240cmd /c md 95034C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1048tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1304findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1332cmd /c md 95034C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1436findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1496timeout /t 10 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1660"C:\Windows\System32\cmd.exe" /k copy Comments Comments.cmd & Comments.cmd & exitC:\Windows\SysWOW64\cmd.exe
lem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1784findstr /V "EnsuresMerchantsGeographicHearing" Sms C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1920findstr /V "EnsuresMerchantsGeographicHearing" Sms C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1992cmd /c copy /b Chest + Old + Debate 95034\H C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 594
Read events
8 567
Write events
27
Delete events
0

Modification events

(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
2
Suspicious files
29
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5732lem.exeC:\Users\admin\AppData\Local\Temp\Meterpcx
MD5:B2FCF23B4548770FFD70A7E9F42B803A
SHA256:8A33C8558AD444279805D4694171D8B6D08DB59C38B16356073849B1F8AC4F0A
5732lem.exeC:\Users\admin\AppData\Local\Temp\Responsesbinary
MD5:D5C24CC78A66CE58DEDE73B65996E822
SHA256:98CB41146E9FC1CFF790B39B2A8A4B6F095F2B3F8041B9B450874DBA8D6E7C92
5732lem.exeC:\Users\admin\AppData\Local\Temp\Thomasbinary
MD5:96648E2982F59739C075FDECE1B98824
SHA256:4D04F9C5D88C45A465B4E851F12BABAFBB020F9F180E6D7B70EC14EB9197C5D0
5732lem.exeC:\Users\admin\AppData\Local\Temp\Boxingbinary
MD5:661F690A4174D297B9AA68E96A75BD38
SHA256:2A27F4BA17BDC7055C0FD277EFDE4872A2F4E6D6BA4D019D7355FA12DD5A5DF6
5732lem.exeC:\Users\admin\AppData\Local\Temp\Filedbinary
MD5:665B16A8CD79A44421B37D5E301495DB
SHA256:C1DE07D32EE0BCE18B50448F07026E9F4BA5F9FF98A5A2A3DFCC013ADDEBAF00
5732lem.exeC:\Users\admin\AppData\Local\Temp\Receivesbinary
MD5:29846F0F67B9C8BD7AAA48CD9C72AC86
SHA256:E9619BCE4C718251E4B4CAFFBB956FD6272F48CBB2E22EDF8F10A1AF1AD002BE
5732lem.exeC:\Users\admin\AppData\Local\Temp\Reproducedbinary
MD5:FA8318506C6020D76D99BA2585DAF761
SHA256:7058460B66FFD8B00A7A5999840E75F893C77565B835C1AE4393C6FFCF7E6D2B
5732lem.exeC:\Users\admin\AppData\Local\Temp\Endingbinary
MD5:7125BEB49323F08CBE1FB3AC08A6034A
SHA256:D3701EE2D0CC20ADC7CF88F5FA198378C5B70E71DE8DBFBCA0C5F0421676D7D0
5732lem.exeC:\Users\admin\AppData\Local\Temp\Initiatedbinary
MD5:51EB81F0BF9501BE8505866AF584017F
SHA256:6A9EF859A4C8844D05369020B6A7C19F9943C42C99304953691EBCA8287DC500
5732lem.exeC:\Users\admin\AppData\Local\Temp\Liechtensteinbinary
MD5:4A1700A382EEBBFA707BD35B1A16C7B6
SHA256:F3C1C5310F5E73465E8ABF9EFC45FD58999905CE94E84D75F3026E7FF8E12748
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1792
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1792
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3108
Bathrooms.pif
POST
185.107.56.203:80
http://tea.arpdabl.org/
unknown
unknown
POST
200
20.42.73.28:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
GET
200
23.212.216.106:443
https://steamcommunity.com/profiles/76561199735694209
unknown
html
33.9 Kb
GET
200
149.154.167.99:443
https://t.me/puffclou
unknown
html
12.0 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1792
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1972
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1792
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2064
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1972
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1972
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1792
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
mNLLDjOMLqNop.mNLLDjOMLqNop
unknown
www.microsoft.com
  • 23.52.120.96
whitelisted
steamcommunity.com
  • 104.102.42.29
whitelisted
t.me
  • 149.154.167.99
whitelisted
self.events.data.microsoft.com
  • 20.50.73.4
whitelisted
tea.arpdabl.org
  • 185.107.56.203
malicious

Threats

PID
Process
Class
Message
3108
Bathrooms.pif
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
Malware Command and Control Activity Detected
SUSPICIOUS [ANY.RUN] Used Steam website as a dead drop resolver (DDR)
Malware Command and Control Activity Detected
SUSPICIOUS [ANY.RUN] Dead Drop Resolver (DDR) inside Telegram Contact
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lem.exe