Edit tour
Windows
Analysis Report
lgX7lgUL1w.exe
Overview
General Information
| Sample name: | lgX7lgUL1w.exerenamed because original name is a hash value |
| Original sample name: | 7ff8c26a36f5a4566990745dff1594f3.exe |
| Analysis ID: | 1447097 |
| MD5: | 7ff8c26a36f5a4566990745dff1594f3 |
| SHA1: | 5d73bbd168fb9b1e43051340a415d95f28c40f4d |
| SHA256: | fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813 |
| Tags: | 64exetrojan |
| Infos: |   |
 | |
Detection
Neoreklami, PureLog Stealer, SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Neoreklami
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies Windows Defender protection settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
lgX7lgUL1w.exe (PID: 968 cmdline: "C:\Users\ user\Deskt op\lgX7lgU L1w.exe" MD5: 7FF8C26A36F5A4566990745DFF1594F3) 
conhost.exe (PID: 6748 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5760 cmdline: C:\Windows \system32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath $env:UserP rofile MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AddInProcess32.exe (PID: 3960 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) 
xJOdjN6fVDYC0Ta4cXD9JBiF.exe (PID: 7280 cmdline: "C:\Users\ user\Pictu res\xJOdjN 6fVDYC0Ta4 cXD9JBiF.e xe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13) 
PZ3hKWPffUrXuh6Gjn77Ivv1.exe (PID: 7308 cmdline: "C:\Users\ user\Pictu res\PZ3hKW PffUrXuh6G jn77Ivv1.e xe" MD5: C5A6381354CD5D1488E362C9103C1851) 
explorer.exe (PID: 4056 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 
iYU7jmLL0jPLxgjctxjq1ReZ.exe (PID: 7964 cmdline: "C:\Users\ user\Pictu res\iYU7jm LL0jPLxgjc txjq1ReZ.e xe" MD5: 53D14BD638C98C210E391151A8D3BCCC) - Install.exe (PID: 8020 cmdline:
.\Install. exe /odidu m "385118" /S MD5: 220A02A940078153B4063F42F206087B) - cmd.exe (PID: 8076 cmdline:
"C:\Window s\System32 \cmd.exe" /C forfile s /p c:\wi ndows\syst em32 /m wh ere.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7735503 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m calc.exe /c "cmd /C reg add \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v 2 147814524 /t REG_SZ /d 6" & fo rfiles /p c:\windows \system32 /m where.e xe /c "cmd /C reg ad d \"HKLM\S OFTWARE\Po licies\Mic rosoft\Win dows Defen der\Threat s\ThreatID DefaultAct ion\" /f / v 21477801 99 /t REG_ SZ /d 6" & forfiles /p c:\wind ows\system 32 /m wait for.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7812831 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m help.exe /c "cmd /C powershel l start-pr ocess -Win dowStyle H idden gpup date.exe / force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 8144 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214773 5503 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 8160 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 8176 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 2408 cmdline:
forfiles / p c:\windo ws\system3 2 /m calc. exe /c "cm d /C reg a dd \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v 2147814 524 /t REG _SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7428 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147814524 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 1352 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 814524 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 8160 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214778 0199 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 2936 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147780199 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 6132 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 780199 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 6132 cmdline:
forfiles / p c:\windo ws\system3 2 /m waitf or.exe /c "cmd /C re g add \"HK LM\SOFTWAR E\Policies \Microsoft \Windows D efender\Th reats\Thre atIDDefaul tAction\" /f /v 2147 812831 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 8148 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147812831 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 5988 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 812831 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 1460 cmdline:
forfiles / p c:\windo ws\system3 2 /m help. exe /c "cm d /C power shell star t-process -WindowSty le Hidden gpupdate.e xe /force" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7836 cmdline:
/C powersh ell start- process -W indowStyle Hidden gp update.exe /force MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 5468 cmdline:
powershell start-pr ocess -Win dowStyle H idden gpup date.exe / force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - forfiles.exe (PID: 7248 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m where.exe /c "cmd / C powershe ll -Window Style Hidd en WMIC /N AMESPACE:\ \root\Micr osoft\Wind ows\Defend er PATH MS FT_MpPrefe rence call Add Exclu sionExtens ion=exe Fo rce=True" MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 3180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1456 cmdline:
/C powersh ell -Windo wStyle Hid den WMIC / NAMESPACE: \\root\Mic rosoft\Win dows\Defen der PATH M SFT_MpPref erence cal l Add Excl usionExten sion=exe F orce=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 7696 cmdline:
powershell -WindowSt yle Hidden WMIC /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
WMIC.exe (PID: 6476 cmdline: "C:\Window s\System32 \Wbem\WMIC .exe" /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: E2DE6500DE1148C7F6027AD50AC8B891) - schtasks.exe (PID: 8276 cmdline:
schtasks / CREATE /TN "bbmnnUCI PYyTQrzMQJ " /SC once /ST 05:30 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user~1\ AppData\Lo cal\Temp\7 zSA05C.tmp \Install.e xe\" it /f MDdidlBgf 385118 /S" /V1 /F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 8284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
c12YwoiQ34lE0LgBRkxJOClX.exe (PID: 7984 cmdline: "C:\Users\ user\Pictu res\c12Ywo iQ34lE0LgB RkxJOClX.e xe" MD5: F0587649682207064554A2372966435D) - E6ijlcXzCqRG7r61JO0b9evs.exe (PID: 8028 cmdline:
"C:\Users\ user\Pictu res\E6ijlc XzCqRG7r61 JO0b9evs.e xe" MD5: C5A6381354CD5D1488E362C9103C1851) 
WerFault.exe (PID: 648 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 028 -s 356 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 7336 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 7372 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- svchost.exe (PID: 7412 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7456 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7472 cmdline:
C:\Windows \System32\ svchost.ex e -k wsapp x -p -s Cl ipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7488 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U soSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7668 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 2916 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 2356 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6632 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6816 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 8152 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 8188 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 476 -p 80 28 -ip 802 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 5868 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
| |
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
| |
| Click to see the 8 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||