| File name: | Update_131.1233.24.msi |
| Full analysis: | https://app.any.run/tasks/b716a2b6-5e3c-412a-9aa1-b6ecc05cb22a |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | December 11, 2024, 09:24:10 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Incognito, Author: Malate Linchpin, Keywords: Installer, Comments: This installer database contains the logic and data required to install Incognito., Template: Intel;1033, Revision Number: {050CB52B-4B8C-4B43-9B6E-CED1A18596EE}, Create Time/Date: Mon Dec 9 02:29:28 2024, Last Saved Time/Date: Mon Dec 9 02:29:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
| MD5: | 396C6C0ECAD4BBE1C61393C0ED041F57 |
| SHA1: | 3B6C7FB5A47C8B53E6CBB2A76FF95FE54791B574 |
| SHA256: | 69FA440F6F1CC7F95EFB40C5BBB2C5D197AA2CB7BC9DFA7F1E9744C86AEF7BB2 |
| SSDEEP: | 98304:dZvStqESW1TPabNpJ/lgmqZEBmYBuJDUpE6iJE6uXIxERad9Vd3iiqz+ELcDjBWU:iwEatEnt |
MALICIOUS
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2192)
Connects to the CnC server
- svchost.exe (PID: 2192)
SUSPICIOUS
Reads the Windows owner or organization settings
- msiexec.exe (PID: 5004)
Starts CMD.EXE for commands execution
- iScrPaint.exe (PID: 5460)
Executes as Windows Service
- VSSVC.exe (PID: 2092)
Starts itself from another location
- iScrPaint.exe (PID: 5540)
Executable content was dropped or overwritten
- iScrPaint.exe (PID: 5540)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2192)
INFO
Reads the computer name
- msiexec.exe (PID: 5004)
- iScrPaint.exe (PID: 5540)
- iScrPaint.exe (PID: 5460)
The sample compiled with english language support
- msiexec.exe (PID: 6012)
- msiexec.exe (PID: 5004)
- iScrPaint.exe (PID: 5540)
Manages system restore points
- SrTasks.exe (PID: 648)
Reads the software policy settings
- explorer.exe (PID: 3152)
Checks supported languages
- msiexec.exe (PID: 5004)
- iScrPaint.exe (PID: 5540)
- iScrPaint.exe (PID: 5460)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5004)
Creates files or folders in the user directory
- iScrPaint.exe (PID: 5540)
Creates a software uninstall entry
- msiexec.exe (PID: 5004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Installer (100) |
|---|
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Incognito |
| Author: | Malate Linchpin |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Incognito. |
| Template: | Intel;1033 |
| RevisionNumber: | {050CB52B-4B8C-4B43-9B6E-CED1A18596EE} |
| CreateDate: | 2024:12:09 02:29:28 |
| ModifyDate: | 2024:12:09 02:29:28 |
| Pages: | 500 |
| Words: | 10 |
| Software: | WiX Toolset (4.0.0.0) |
| Security: | Read-only recommended |
Total processes
121
Monitored processes
11
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 648 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 716 | C:\WINDOWS\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe | — | iScrPaint.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2092 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3152 | C:\WINDOWS\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4500 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5004 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5460 | C:\Users\admin\AppData\Roaming\BeaconwriterYDGv3\iScrPaint.exe | C:\Users\admin\AppData\Roaming\BeaconwriterYDGv3\iScrPaint.exe | — | iScrPaint.exe | |||||||||||
User: admin Company: iTop Inc. Integrity Level: MEDIUM Description: iTop Screen Recorder Exit code: 1 Version: 3.0.0.945 Modules
| |||||||||||||||
| 5540 | "C:\Users\admin\AppData\Local\Haji\iScrPaint.exe" | C:\Users\admin\AppData\Local\Haji\iScrPaint.exe | msiexec.exe | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: MEDIUM Description: iTop Screen Recorder Exit code: 0 Version: 3.0.0.945 Modules
| |||||||||||||||
| 5880 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 051
Read events
5 788
Write events
245
Delete events
18
Modification events
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000027086188AE4BDB018C130000A8170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000027086188AE4BDB018C130000A8170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000000C86B488AE4BDB018C130000A8170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000000C86B488AE4BDB018C130000A8170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000072D6B688AE4BDB018C130000A8170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 480000000000000071A0BB88AE4BDB018C130000A8170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000CE723089AE4BDB018C130000A8170000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5004) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000007DD73289AE4BDB018C130000C8040000E80300000100000000000000000000002E46A14DCC73FB4EB21D4071A5CB9DF700000000000000000000000000000000 | |||
| (PID) Process: | (2092) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000063663C89AE4BDB012C080000C4140000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
4
Suspicious files
13
Text files
0
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5004 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{4da1462e-73cc-4efb-b21d-4071a5cb9df7}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\Windows\Installer\13f82e.msi | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\Windows\Temp\~DF846F1F1A28973FD6.TMP | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\Windows\Installer\13f830.msi | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\Windows\Temp\~DF48872CFDFF8B438D.TMP | — | |
MD5:— | SHA256:— | |||
| 5004 | msiexec.exe | C:\Windows\Installer\MSIFAED.tmp | binary | |
MD5:5131C55B684F96EDA0A0D225009C3948 | SHA256:5CAC1A967954E934D32DA185BBA3748CF9F6BF423AA9041A3B512BB97D0E0440 | |||
| 5004 | msiexec.exe | C:\Users\admin\AppData\Local\Haji\wlo | binary | |
MD5:8029EBE35063D6BBC5905A0F35423041 | SHA256:2C3F579E9D1B48D6D46D6BF4332A23EFC81735A46A463537A235551033D31B47 | |||
| 5004 | msiexec.exe | C:\Config.Msi\13f82f.rbs | binary | |
MD5:EA69A3540770223FCC3D9F5EECC07EAF | SHA256:E545755C29B987394075BEA145ABDB8D525CE0F5F4793FA4B8A7FBF5925085D0 | |||
| 5004 | msiexec.exe | C:\Windows\Temp\~DFFAEF88CECB80CA83.TMP | binary | |
MD5:C9C8DB5E98D5317D1A40882C09E47DE3 | SHA256:6A52AE46B792238150C0A3BB4BCA11C890E17ADB3BE47FCCB2114F410763BD43 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
15
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.212.216.106:443 | https://steamcommunity.com/profiles/76561199724331900 | unknown | html | 34.3 Kb | whitelisted |
1356 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 188.114.97.3:443 | https://gradefuture.click/api | unknown | text | 17 b | unknown |
— | — | POST | 200 | 188.114.97.3:443 | https://covery-mover.biz/api | unknown | text | 17 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 104.126.37.131:443 | — | Akamai International B.V. | DE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1356 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3152 | explorer.exe | 188.114.96.3:443 | gradefuture.click | CLOUDFLARENET | NL | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
gradefuture.click |
| unknown |
se-blurry.biz |
| malicious |
zinc-sneark.biz |
| malicious |
dwell-exclaim.biz |
| malicious |
formy-spill.biz |
| malicious |
covery-mover.biz |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Suspected Malicious Domain by Cloudflare (zinc-sneark .biz) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) |
2192 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) |
2192 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) |
2192 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) |