File name:

lem.exe

Full analysis: https://app.any.run/tasks/e7a65bb6-bbe7-4f42-ba0e-96c6b2abbe05
Verdict: Malicious activity
Analysis date: July 09, 2024, 15:32:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
ddr
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

325A606EA2DBEC3A47BEFB19F0AD3DA6

SHA1:

99F955CBD4D8287898FFA9F682EB1C78FCEF5374

SHA256:

3D739FABBA56B79F84E7CDDD183DFA59429F3C9FB9DA92EB0D6B75815EDACD53

SSDEEP:

49152:eJ1jRhp/I1M5FNEW2iRTQXAHXQOi8Hy2OkrzkVZ9h10JghgvNdd2Gbdbn40:ePjRhpw1M5ZqAHXLi8ROkkthVudrbdbL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • lem.exe (PID: 5732)
      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 2916)
      • findstr.exe (PID: 1436)
      • findstr.exe (PID: 4832)
      • findstr.exe (PID: 1304)

    • Steals credentials from Web Browsers

      • Bathrooms.pif (PID: 3108)

    • Starts CMD.EXE for self-deleting

      • Bathrooms.pif (PID: 3108)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)

    • Executing commands from ".cmd" file

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Reads the date of Windows installation

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)

    • Starts CMD.EXE for commands execution

      • lem.exe (PID: 5732)
      • cmd.exe (PID: 1660)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)
      • cmd.exe (PID: 5132)

    • Get information on the list of running processes

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Suspicious file concatenation

      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 1992)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)
      • cmd.exe (PID: 2848)

    • Application launched itself

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 5132)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Bathrooms.pif (PID: 3108)

    • Checks Windows Trust Settings

      • Bathrooms.pif (PID: 3108)

    • Searches for installed software

      • Bathrooms.pif (PID: 3108)

    • The executable file from the user directory is run by the CMD process

      • Bathrooms.pif (PID: 3108)
      • Bathrooms.pif (PID: 5624)

  • INFO

    • Create files in a temporary directory

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)

    • Reads the computer name

      • lem.exe (PID: 5732)
      • lem.exe (PID: 3152)
      • Bathrooms.pif (PID: 3108)

    • Process checks computer location settings

      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 3152)

    • Checks supported languages

      • Bathrooms.pif (PID: 3108)
      • lem.exe (PID: 5732)
      • Bathrooms.pif (PID: 5624)
      • lem.exe (PID: 3152)

    • Creates files in the program directory

      • Bathrooms.pif (PID: 3108)

    • Reads mouse settings

      • Bathrooms.pif (PID: 3108)
      • Bathrooms.pif (PID: 5624)

    • Reads the machine GUID from the registry

      • Bathrooms.pif (PID: 3108)

    • Creates files or folders in the user directory

      • Bathrooms.pif (PID: 3108)

    • Checks proxy server information

      • Bathrooms.pif (PID: 3108)

    • Reads the software policy settings

      • Bathrooms.pif (PID: 3108)

    • Reads Environment values

      • Bathrooms.pif (PID: 3108)

    • Manual execution by a user

      • lem.exe (PID: 3152)

    • Reads product name

      • Bathrooms.pif (PID: 3108)

    • Reads CPU info

      • Bathrooms.pif (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
27
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lem.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs bathrooms.pif timeout.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs lem.exe cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs bathrooms.pif no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240cmd /c md 95034C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1048tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1304findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1332cmd /c md 95034C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1436findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1496timeout /t 10 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1660"C:\Windows\System32\cmd.exe" /k copy Comments Comments.cmd & Comments.cmd & exitC:\Windows\SysWOW64\cmd.exe
lem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1784findstr /V "EnsuresMerchantsGeographicHearing" Sms C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1920findstr /V "EnsuresMerchantsGeographicHearing" Sms C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1992cmd /c copy /b Chest + Old + Debate 95034\H C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 594
Read events
8 567
Write events
27
Delete events
0

Modification events

(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5732) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3108) Bathrooms.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
2
Suspicious files
29
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5732lem.exeC:\Users\admin\AppData\Local\Temp\Reproducedbinary
MD5:FA8318506C6020D76D99BA2585DAF761
SHA256:7058460B66FFD8B00A7A5999840E75F893C77565B835C1AE4393C6FFCF7E6D2B
5732lem.exeC:\Users\admin\AppData\Local\Temp\Llbinary
MD5:754E8C090842779B387848B6C7D05056
SHA256:B88053861C4DC89836B806277ADA36BECE6EBE24C91F0A969A205BDF555973D3
5732lem.exeC:\Users\admin\AppData\Local\Temp\Liechtensteinbinary
MD5:4A1700A382EEBBFA707BD35B1A16C7B6
SHA256:F3C1C5310F5E73465E8ABF9EFC45FD58999905CE94E84D75F3026E7FF8E12748
5732lem.exeC:\Users\admin\AppData\Local\Temp\Prototypebinary
MD5:9D929650F45059B6008B262DCA4C38AD
SHA256:EE0B94E9674580C951CEC93BB24BE984C40FCD0FCDDB440EDDAF473FC0C38B53
5732lem.exeC:\Users\admin\AppData\Local\Temp\Magnitudebinary
MD5:F8854AB901789B4CA195EE7DA3A56996
SHA256:B801E1770079542C301ACBFA94CD4BA71998750ADD0A391D4C42113283D5CCA6
5732lem.exeC:\Users\admin\AppData\Local\Temp\Shuttlemp3
MD5:2DBD9A70801F9884623298015AFC3081
SHA256:5B18712950B044D893977CCDBD956EF29DB4668FC9A6AA84536EB869B5B1843B
5732lem.exeC:\Users\admin\AppData\Local\Temp\Ofbinary
MD5:3454C5CF55502AF90CC76A45F112232C
SHA256:912E53B30A0AE30B2C3AB6F00CB1D5216E9ACEC555EC7973C9E65E7E61DDF29D
5732lem.exeC:\Users\admin\AppData\Local\Temp\Modebinary
MD5:BE93BC804BB05D03FE6E96BA8D625D84
SHA256:FD7512930282A3A69422EC2344FCD612E9DB736B798F68D311245725CF2CB4A6
5732lem.exeC:\Users\admin\AppData\Local\Temp\Thomasbinary
MD5:96648E2982F59739C075FDECE1B98824
SHA256:4D04F9C5D88C45A465B4E851F12BABAFBB020F9F180E6D7B70EC14EB9197C5D0
5732lem.exeC:\Users\admin\AppData\Local\Temp\Inappropriatebinary
MD5:EF22F8B52666ADD4C1DEFD4728AB6FBE
SHA256:EFC6EFFE9A009893DB32B200B874F1BBED9E2AA650600F3EE16CB8650DF00954
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1972
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3108
Bathrooms.pif
POST
185.107.56.203:80
http://tea.arpdabl.org/
unknown
unknown
1792
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1792
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
23.212.216.106:443
https://steamcommunity.com/profiles/76561199735694209
unknown
html
33.9 Kb
unknown
POST
200
20.42.73.28:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
149.154.167.99:443
https://t.me/puffclou
unknown
html
12.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1792
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1972
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1792
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2064
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1972
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1972
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1792
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
mNLLDjOMLqNop.mNLLDjOMLqNop
unknown
www.microsoft.com
  • 23.52.120.96
whitelisted
steamcommunity.com
  • 104.102.42.29
whitelisted
t.me
  • 149.154.167.99
whitelisted
self.events.data.microsoft.com
  • 20.50.73.4
whitelisted
tea.arpdabl.org
  • 185.107.56.203
malicious

Threats

PID
Process
Class
Message
3108
Bathrooms.pif
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
Malware Command and Control Activity Detected
SUSPICIOUS [ANY.RUN] Used Steam website as a dead drop resolver (DDR)
Malware Command and Control Activity Detected
SUSPICIOUS [ANY.RUN] Dead Drop Resolver (DDR) inside Telegram Contact
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lem.exe