analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup-lightshot.exe

Full analysis: https://app.any.run/tasks/4e88b4ad-30ba-4a27-8a8c-e0a95ba46814
Verdict: Malicious activity
Analysis date: July 18, 2019, 13:09:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

18A6E22D8F806F6757D5796FE08B37F0

SHA1:

6A99D9BAC7B24D1C7843E9E8AE6BFF1968AD0FBE

SHA256:

455B17124A474BFA512580BA9BCD275DC8E1119482AD604B83B3CB5611A6F73F

SSDEEP:

49152:cZs5nVhJbEh/kstfItGWY1XF4msYrDvxDIskHUlx88vKdbUM:is5nVnbYMQAtGWonb5okeQMP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • setup-lightshot.tmp (PID: 2788)

    • Application was dropped or rewritten from another process

      • Lightshot.exe (PID: 2752)
      • Lightshot.exe (PID: 896)
      • Updater.exe (PID: 2868)
      • Updater.exe (PID: 3040)
      • Updater.exe (PID: 3304)
      • Updater.exe (PID: 3972)
      • updater.exe (PID: 2988)
      • Updater.exe (PID: 2600)
      • updater.exe (PID: 2228)
      • updater.exe (PID: 3668)
      • updater.exe (PID: 2364)
      • Lightshot.exe (PID: 2468)
      • Lightshot.exe (PID: 2956)
      • Lightshot.exe (PID: 3676)
      • Lightshot.exe (PID: 3936)

    • Loads dropped or rewritten executable

      • Lightshot.exe (PID: 2752)

    • Loads the Task Scheduler DLL interface

      • Updater.exe (PID: 2868)
      • updater.exe (PID: 2988)

    • Starts NET.EXE for service management

      • setupupdater.tmp (PID: 1952)

    • Changes settings of System certificates

      • Updater.exe (PID: 2600)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup-lightshot.exe (PID: 2164)
      • setup-lightshot.exe (PID: 3748)
      • setup-lightshot.tmp (PID: 2788)
      • setupupdater.exe (PID: 1312)
      • setupupdater.tmp (PID: 1952)

    • Reads Windows owner or organization settings

      • setup-lightshot.tmp (PID: 2788)
      • setupupdater.tmp (PID: 1952)

    • Uses TASKKILL.EXE to kill process

      • setup-lightshot.tmp (PID: 2788)

    • Reads the Windows organization settings

      • setup-lightshot.tmp (PID: 2788)
      • setupupdater.tmp (PID: 1952)

    • Creates files in the Windows directory

      • Updater.exe (PID: 2868)
      • updater.exe (PID: 2988)

    • Creates files in the program directory

      • Updater.exe (PID: 3304)

    • Starts Internet Explorer

      • setup-lightshot.tmp (PID: 2608)

    • Creates files in the user directory

      • Updater.exe (PID: 2600)
      • Updater.exe (PID: 3304)

    • Adds / modifies Windows certificates

      • Updater.exe (PID: 2600)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2396)

  • INFO

    • Application was dropped or rewritten from another process

      • setup-lightshot.tmp (PID: 2788)
      • setup-lightshot.tmp (PID: 2608)
      • setupupdater.exe (PID: 1312)
      • setupupdater.tmp (PID: 1952)

    • Creates a software uninstall entry

      • setup-lightshot.tmp (PID: 2788)

    • Creates files in the program directory

      • setup-lightshot.tmp (PID: 2788)
      • setupupdater.tmp (PID: 1952)

    • Creates files in the user directory

      • iexplore.exe (PID: 2416)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2396)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 3072)

    • Application launched itself

      • iexplore.exe (PID: 3072)

    • Changes internet zones settings

      • iexplore.exe (PID: 3072)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2416)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3072)

    • Manual execution by user

      • Lightshot.exe (PID: 2956)
      • Lightshot.exe (PID: 3936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

ProductVersion: 5.4.0.35
ProductName: lightshot
LegalCopyright:
FileVersion: 5.4.0.35
FileDescription: lightshot Setup
CompanyName: Skillbrains
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.4.0.35
FileVersionNumber: 5.4.0.35
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: 6
OSVersion: 5
EntryPoint: 0x117dc
UninitializedDataSize: -
InitializedDataSize: 419328
CodeSize: 66560
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2016:04:06 16:39:04+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Apr-2016 14:39:04
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: Skillbrains
FileDescription: lightshot Setup
FileVersion: 5.4.0.35
LegalCopyright: -
ProductName: lightshot
ProductVersion: 5.4.0.35

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 06-Apr-2016 14:39:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000F244
0x0000F400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.37521
.itext
0x00011000
0x00000F64
0x00001000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.7322
.data
0x00012000
0x00000C88
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.29672
.bss
0x00013000
0x000056BC
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00019000
0x00000E04
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.59781
.tls
0x0001A000
0x00000008
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0001B000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.204488
.rsrc
0x0001C000
0x00064408
0x00064600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.90551

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13965
1580
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.19827
4264
Latin 1 / Western European
English - United States
RT_ICON
3
5.06785
9640
Latin 1 / Western European
English - United States
RT_ICON
4
4.91542
16936
Latin 1 / Western European
English - United States
RT_ICON
5
4.75811
67624
Latin 1 / Western European
English - United States
RT_ICON
6
4.65633
270376
Latin 1 / Western European
English - United States
RT_ICON
4091
2.56031
104
Latin 1 / Western European
UNKNOWN
RT_STRING
4092
3.25287
212
Latin 1 / Western European
UNKNOWN
RT_STRING
4093
3.26919
164
Latin 1 / Western European
UNKNOWN
RT_STRING
4094
3.33268
684
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
kernel32.dll
oleaut32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
28
Malicious processes
5
Suspicious processes
8

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start setup-lightshot.exe setup-lightshot.tmp no specs setup-lightshot.exe setup-lightshot.tmp taskkill.exe no specs taskkill.exe no specs lightshot.exe no specs lightshot.exe no specs setupupdater.exe setupupdater.tmp net.exe no specs net1.exe no specs updater.exe no specs updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs updater.exe no specs updater.exe no specs updater.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs lightshot.exe no specs lightshot.exe no specs lightshot.exe no specs lightshot.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3748"C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe" C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe
explorer.exe
User:
admin
Company:
Skillbrains
Integrity Level:
MEDIUM
Description:
lightshot Setup
Exit code:
0
Version:
5.4.0.35
2608"C:\Users\admin\AppData\Local\Temp\is-T8LRP.tmp\setup-lightshot.tmp" /SL5="$60128,2096383,486912,C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe" C:\Users\admin\AppData\Local\Temp\is-T8LRP.tmp\setup-lightshot.tmpsetup-lightshot.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
2164"C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe" /SPAWNWND=$5018C /NOTIFYWND=$60128 C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe
setup-lightshot.tmp
User:
admin
Company:
Skillbrains
Integrity Level:
HIGH
Description:
lightshot Setup
Exit code:
0
Version:
5.4.0.35
2788"C:\Users\admin\AppData\Local\Temp\is-B88G4.tmp\setup-lightshot.tmp" /SL5="$70156,2096383,486912,C:\Users\admin\AppData\Local\Temp\setup-lightshot.exe" /SPAWNWND=$5018C /NOTIFYWND=$60128 C:\Users\admin\AppData\Local\Temp\is-B88G4.tmp\setup-lightshot.tmp
setup-lightshot.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3064"C:\Windows\System32\taskkill.exe" /f /im lightshot.exeC:\Windows\System32\taskkill.exesetup-lightshot.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2504"taskkill.exe" /F /IM lightshot.exeC:\Windows\system32\taskkill.exesetup-lightshot.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
896"C:\Program Files\Skillbrains\lightshot\Lightshot.exe"C:\Program Files\Skillbrains\lightshot\Lightshot.exesetup-lightshot.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
Starter Module
Exit code:
0
Version:
1, 0, 0, 1
2752"C:\Program Files\Skillbrains\lightshot\5.4.0.35\Lightshot.exe" C:\Program Files\Skillbrains\lightshot\5.4.0.35\Lightshot.exeLightshot.exe
User:
admin
Company:
Skillbrains
Integrity Level:
MEDIUM
Description:
Lightshot
Version:
5.4.0.1
1312"C:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\setupupdater.exe" /verysilentC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\setupupdater.exe
setup-lightshot.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
updater Setup
Exit code:
0
Version:
1.8.0.0
1952"C:\Users\admin\AppData\Local\Temp\is-73PS6.tmp\setupupdater.tmp" /SL5="$30154,490430,120832,C:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\setupupdater.exe" /verysilentC:\Users\admin\AppData\Local\Temp\is-73PS6.tmp\setupupdater.tmp
setupupdater.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Total events
1 568
Read events
1 361
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
6
Text files
121
Unknown types
11

Dropped files

PID
Process
Filename
Type
2788setup-lightshot.tmpC:\Program Files\Skillbrains\lightshot\is-UMKB9.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-NIH2T.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-AU2B5.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-MI8FO.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-5UUEV.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-0L8KA.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-48GTA.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-KHDHI.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-BO4R2.tmp
MD5:
SHA256:
2788setup-lightshot.tmpC:\Users\admin\AppData\Local\Temp\is-3FI61.tmp\is-D99VN.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2788
setup-lightshot.tmp
GET
200
172.217.18.110:80
http://www.google-analytics.com/__utm.gif?&utmn=2834658&utmwv=4.4sh&utmp=Lightshot/Install%20version/5.4.0.35&utmac=UA-11927135-1&utmcc=__utma%3D1.32755658.1.1.1.1
US
image
35 b
whitelisted
3304
Updater.exe
GET
200
172.217.18.110:80
http://www.google-analytics.com/__utm.gif?utmwv=4.4sh&utmac=UA-38715315-1&utmp=%2FUpdater%2Fusr%2FAddProduct%2Fupdater&utmcc=__utma%3D1.53841563455386.1563455386..1563455386.1&utmn=53841563455386&utmsc=32-bit&utmsr=1280x720
US
image
35 b
whitelisted
2600
Updater.exe
GET
200
172.217.18.110:80
http://www.google-analytics.com/__utm.gif?utmwv=4.4sh&utmac=UA-38715315-1&utmp=%2FUpdater%2Fusr%2FPing&utmcc=__utma%3D1.53841563455386.1563455386..1563455387.2&utmn=53871563455387&utmsc=32-bit&utmsr=1280x720
US
image
35 b
whitelisted
2600
Updater.exe
GET
200
104.20.13.105:80
http://updater.prntscr.com/getver/updater?ping=true
US
xml
148 b
whitelisted
2788
setup-lightshot.tmp
GET
200
172.217.18.110:80
http://www.google-analytics.com/__utm.gif?&utmn=4791670&utmwv=4.4sh&utmp=Lightshot/Language/english&utmac=UA-11927135-1&utmcc=__utma%3D1.32755658.1.1.1.1
US
image
35 b
whitelisted
2788
setup-lightshot.tmp
GET
200
172.217.18.110:80
http://www.google-analytics.com/__utm.gif?&utmn=3867685&utmwv=4.4sh&utmp=Lightshot/General%20Installation/default&utmac=UA-11927135-1&utmcc=__utma%3D1.32755658.1.1.1.1
US
image
35 b
whitelisted
2416
iexplore.exe
GET
301
104.20.13.105:80
http://app.prntscr.com/thankyou_desktop.html
US
html
178 b
whitelisted
3072
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3304
Updater.exe
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
2600
Updater.exe
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
2364
updater.exe
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
2600
Updater.exe
77.88.21.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
3304
Updater.exe
77.88.21.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
2788
setup-lightshot.tmp
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
2600
Updater.exe
104.20.13.105:80
updater.prntscr.com
Cloudflare Inc
US
shared
2416
iexplore.exe
172.217.18.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
2416
iexplore.exe
104.20.13.105:443
updater.prntscr.com
Cloudflare Inc
US
shared
3072
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 172.217.18.110
whitelisted
updater.prntscr.com
  • 104.20.13.105
  • 104.20.14.105
whitelisted
mc.yandex.ru
  • 77.88.21.119
  • 87.250.250.119
  • 87.250.251.119
  • 93.158.134.119
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
app.prntscr.com
  • 104.20.13.105
  • 104.20.14.105
whitelisted
st.prntscr.com
  • 104.20.14.105
  • 104.20.13.105
whitelisted

Threats

PID
Process
Class
Message
2600
Updater.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup-lightshot.exe