| File name: | creaminstaller.exe |
| Full analysis: | https://app.any.run/tasks/90d976cf-296a-4c4a-b68d-92eab70eb24f |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | September 14, 2024, 19:41:01 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7F4855E2B5F19C1DF3D5EB38AE53385F |
| SHA1: | 5E27DAB03F27620628BF63B316720F8C5CFE186B |
| SHA256: | 40277A53341A8A6967C8D2EFCEDA6F0D8B2468EA29F7E272DC699876A28E8098 |
| SSDEEP: | 24576:eyF19/4ZiD/ausDpuik7QfsPBCDxzWkSRFuPJRF:eS19/4ZiD/ausDpuik7QfsPBC9zWkSR8 |
MALICIOUS
Actions looks like stealing of personal data
- RegAsm.exe (PID: 4444)
LUMMA has been detected (YARA)
- RegAsm.exe (PID: 4444)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2256)
- RegAsm.exe (PID: 4444)
Connects to the CnC server
- svchost.exe (PID: 2256)
Stealers network behavior
- RegAsm.exe (PID: 4444)
SUSPICIOUS
Executes application which crashes
- creaminstaller.exe (PID: 780)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2256)
INFO
Reads the software policy settings
- RegAsm.exe (PID: 4444)
- WerFault.exe (PID: 5128)
Checks supported languages
- creaminstaller.exe (PID: 780)
- RegAsm.exe (PID: 4444)
Reads the computer name
- RegAsm.exe (PID: 4444)
Reads the machine GUID from the registry
- RegAsm.exe (PID: 4444)
Checks proxy server information
- WerFault.exe (PID: 5128)
Creates files or folders in the user directory
- WerFault.exe (PID: 5128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Lumma
(PID) Process(4444) RegAsm.exe
C2 (8)grandcommonyktsju.xyz
crisisrottenyjs.xyz
sweetcalcutangkdow.xyz
exuberanttjdkwo.xyz
wordingnatturedowo.xyz
qualificationjdwko.xyz
cooperatvassquaidmew.xyz
deadtrainingactioniw.xyz
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:06:27 15:00:22+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.39 |
| CodeSize: | 158208 |
| InitializedDataSize: | 384512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9267 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
129
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 780 | "C:\Users\admin\Desktop\creaminstaller.exe" | C:\Users\admin\Desktop\creaminstaller.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4444 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | creaminstaller.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
Lumma(PID) Process(4444) RegAsm.exe C2 (8)grandcommonyktsju.xyz crisisrottenyjs.xyz sweetcalcutangkdow.xyz exuberanttjdkwo.xyz wordingnatturedowo.xyz qualificationjdwko.xyz cooperatvassquaidmew.xyz deadtrainingactioniw.xyz | |||||||||||||||
| 5128 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 780 -s 712 | C:\Windows\SysWOW64\WerFault.exe | creaminstaller.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6156 | "C:\Users\admin\Desktop\creaminstaller.exe" | C:\Users\admin\Desktop\creaminstaller.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
Total events
9 461
Read events
9 453
Write events
5
Delete events
3
Modification events
| (PID) Process: | (5128) WerFault.exe | Key: | \REGISTRY\A\{6369b12d-b1a9-4349-c8a4-f8986d125833}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (5128) WerFault.exe | Key: | \REGISTRY\A\{6369b12d-b1a9-4349-c8a4-f8986d125833}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5128) WerFault.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | ClockTimeSeconds |
Value: D7E6E56600000000 | |||
| (PID) Process: | (5128) WerFault.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | TickCount |
Value: 30AD120000000000 | |||
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_creaminstaller.e_8c6abd779d7ec1b4d8871f8a4f81a35b6825f16_8525390a_1f16bdb8-3326-4c1c-9a05-c77b9c2f6271\Report.wer | — | |
MD5:— | SHA256:— | |||
| 5128 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\creaminstaller.exe.780.dmp | binary | |
MD5:659E1A731538A606E7C26646F70186E4 | SHA256:4EC4123A92AC2E68962585EB7263BA062FBBDB92A462BF03ADCD75D562FB3854 | |||
| 5128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAA0.tmp.dmp | binary | |
MD5:B72E81DC9BB3B1EC45A8204EB0080C7A | SHA256:528EF3362FE897093DBD019E4BDD40DFD1786E24749DE4642CB7C8BD12E8AD66 | |||
| 5128 | WerFault.exe | C:\Windows\appcompat\Programs\Amcache.hve | hiv | |
MD5:99C8CB9677C2DFACB9798302E0358FCE | SHA256:2000A2FCF94F8BCEDF675F7C4DBAD33190FA70CF9891E57A98B5049D383ABAB1 | |||
| 5128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERABAB.tmp.xml | xml | |
MD5:27B5A09D3426DD6801C553859474DEA7 | SHA256:5998B67B9D218E419919CA97BF517D96C772ECEFE471ED55E4CB7E8F6E2EE7A4 | |||
| 5128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB6C.tmp.WERInternalMetadata.xml | xml | |
MD5:4F9B405BE69F1B5F595F19EAF9DC5580 | SHA256:DFA8AB0BBC8E843B120807044D267BC21C02F842F8F674402CE6EFDB94396A53 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
26
DNS requests
15
Threats
20
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6612 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6248 | RUXIMICS.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 188.114.96.3:443 | https://harmfullyelobardek.shop/api | unknown | text | 14 b | — |
— | — | POST | 200 | 188.114.97.3:443 | https://harmfullyelobardek.shop/api | unknown | text | 16.6 Kb | — |
— | — | POST | 200 | 188.114.96.3:443 | https://harmfullyelobardek.shop/api | unknown | text | 14 b | — |
— | — | POST | 200 | 188.114.96.3:443 | https://harmfullyelobardek.shop/api | unknown | text | 14 b | — |
— | — | POST | 200 | 188.114.97.3:443 | https://harmfullyelobardek.shop/api | unknown | text | 14 b | — |
— | — | GET | 200 | 23.67.133.187:443 | https://steamcommunity.com/profiles/76561199722835364 | unknown | html | 33.9 Kb | — |
— | — | POST | 200 | 188.114.96.3:443 | https://harmfullyelobardek.shop/api | unknown | html | 4.29 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6612 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6248 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4444 | RegAsm.exe | 23.67.133.187:443 | steamcommunity.com | AKAMAI-AS | DE | whitelisted |
5128 | WerFault.exe | 104.208.16.94:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6612 | svchost.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4444 | RegAsm.exe | 188.114.96.3:443 | harmfullyelobardek.shop | CLOUDFLARENET | NL | unknown |
2120 | MoUsoCoreWorker.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6248 | RUXIMICS.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
exuberanttjdkwo.xyz |
| malicious |
cooperatvassquaidmew.xyz |
| malicious |
sweetcalcutangkdow.xyz |
| malicious |
crisisrottenyjs.xyz |
| malicious |
wordingnatturedowo.xyz |
| malicious |
grandcommonyktsju.xyz |
| malicious |
qualificationjdwko.xyz |
| malicious |
deadtrainingactioniw.xyz |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) |
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) |
4444 | RegAsm.exe | A Network Trojan was detected | STEALER [ANY.RUN] Lumma Stealer TLS Connection |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
2 ETPRO signatures available at the full report