Windows Analysis Report
LG3adrtYi2.exe

Overview

General Information

Sample name: LG3adrtYi2.exe
renamed because original name is a hash value
Original sample name: de36bc2bfc3c67820ebd75c912fadc3d.exe
Analysis ID: 1448262
MD5: de36bc2bfc3c67820ebd75c912fadc3d
SHA1: 38bd51e1052ae5bede5293827e87d6f494b204c8
SHA256: 2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16
Tags: 32exetrojan
Infos:

Detection

Phorpiex
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for dropped file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LG3adrtYi2.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe ReversingLabs: Detection: 79%
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Virustotal: Detection: 71% Perma Link
Multi AV Scanner detection for submitted file
Source: LG3adrtYi2.exe ReversingLabs: Detection: 68%
Source: LG3adrtYi2.exe Virustotal: Detection: 72% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.7% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Joe Sandbox ML: detected

Phishing
barindex
Yara detected Phorpiex
Source: Yara match File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Uses 32bit PE files
Source: LG3adrtYi2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: LG3adrtYi2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F028F0 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathCombineW,Sleep,Sleep,FindNextFileW,FindCloseChangeNotification, 0_2_00F028F0
Source: integrator.exe.0.dr String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: VC_redist.x64.exe.0.dr String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: integrator.exe.0.dr String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Installs a raw input device (often for capturing keystrokes)
Source: integrator.exe.0.dr Binary or memory string: RegisterRawInputDevices memstr_0978e8bc-c

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Phorpiex
Source: Yara match File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe 334EB73AFEC7E581BC3D755494F1BF1C4164D4DB7671F2581EA0A1E48E94CCBA
Source: Joe Sandbox View Dropped File: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe F6B6E8A5ECEABC8B6D2F96B1999E16034E32AB6A2FDE2254110A61A27817F956
Uses 32bit PE files
Source: LG3adrtYi2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Mutant created: \Sessions\1\BaseNamedObjects\ 959979
Source: LG3adrtYi2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: integrator.exe.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: LG3adrtYi2.exe ReversingLabs: Detection: 68%
Source: LG3adrtYi2.exe Virustotal: Detection: 72%
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: Compile Script to .exe (x64).lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: Compile Script to .exe (x86).lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: LG3adrtYi2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: LG3adrtYi2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LG3adrtYi2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LG3adrtYi2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LG3adrtYi2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LG3adrtYi2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .zero
PE file contains sections with non-standard names
Source: VC_redist.x64.exe.0.dr Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.0.dr Static PE information: section name: .zero
Source: integrator.exe.0.dr Static PE information: section name: .zero
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F03221 push ecx; ret 0_2_00F03234
Drops PE files
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Thread delayed: delay time: 3600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Window / User API: threadDelayed 1175 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Window / User API: threadDelayed 7389 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816 Thread sleep count: 1175 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816 Thread sleep time: -4230000000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816 Thread sleep count: 7389 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe TID: 1816 Thread sleep time: -26600400000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F028F0 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathCombineW,Sleep,Sleep,FindNextFileW,FindCloseChangeNotification, 0_2_00F028F0
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: C:\Users\user\Desktop\LG3adrtYi2.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F03358 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00F03358
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F01D30 mov eax, dword ptr fs:[00000030h] 0_2_00F01D30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F03358 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00F03358
Source: C:\Users\user\Desktop\LG3adrtYi2.exe Code function: 0_2_00F03288 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00F03288

Remote Access Functionality
barindex
Yara detected Phorpiex
Source: Yara match File source: LG3adrtYi2.exe, type: SAMPLE
Source: Yara match File source: 0.0.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LG3adrtYi2.exe.f00000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1448262 Sample: LG3adrtYi2.exe Startdate: 28/05/2024 Architecture: WINDOWS Score: 96 13 Antivirus detection for dropped file 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for dropped file 2->17 19 4 other signatures 2->19 5 LG3adrtYi2.exe 2->5         started        process3 file4 9 C:\ProgramData\...\VC_redist.x64.exe, PE32 5->9 dropped 11 C:\ProgramData\Microsoft\...\integrator.exe, PE32 5->11 dropped 21 Found evasive API chain (may stop execution after checking mutex) 5->21 23 Found potential dummy code loops (likely to delay analysis) 5->23 signatures5
No contacted IP infos