File name:

SET_UP.exe

Full analysis: https://app.any.run/tasks/83aa7ada-0a3d-4ca3-82ee-e98e12773558
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: December 14, 2024, 12:16:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
stealer
lumma
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

3D7985D235DDDD50133C9CB4D05E93CF

SHA1:

F4760735FAC36EE4453905208EE47589526A30C7

SHA256:

7FEB04DD3086C567C461E43A682DD1BFDF1CDE3C8F37338A87656FC81A23BA5D

SSDEEP:

98304:4W0JMnH6lSPaAny7ahqeITAUa/TsEnLz5hxBBDgS8BQX/N5qjtGm5IcDP:QMjX1mlP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • LUMMA mutex has been found

      • Stored.com (PID: 8)
    • Steals credentials from Web Browsers

      • Stored.com (PID: 8)
    • Actions looks like stealing of personal data

      • Stored.com (PID: 8)
    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
    • AutoIt loader has been detected (YARA)

      • Stored.com (PID: 8)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SET_UP.exe (PID: 4132)
    • Executing commands from ".cmd" file

      • SET_UP.exe (PID: 4132)
    • Starts CMD.EXE for commands execution

      • SET_UP.exe (PID: 4132)
      • cmd.exe (PID: 2972)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2972)
    • Get information on the list of running processes

      • cmd.exe (PID: 2972)
    • Application launched itself

      • cmd.exe (PID: 2972)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2972)
    • The executable file from the user directory is run by the CMD process

      • Stored.com (PID: 8)
    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 2972)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2972)
    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
  • INFO

    • Checks supported languages

      • SET_UP.exe (PID: 4132)
      • Stored.com (PID: 8)
    • The process uses the downloaded file

      • SET_UP.exe (PID: 4132)
    • Process checks computer location settings

      • SET_UP.exe (PID: 4132)
    • Reads the computer name

      • SET_UP.exe (PID: 4132)
      • Stored.com (PID: 8)
    • Creates a new folder

      • cmd.exe (PID: 3612)
    • Create files in a temporary directory

      • SET_UP.exe (PID: 4132)
    • Reads mouse settings

      • Stored.com (PID: 8)
    • Reads the machine GUID from the registry

      • Stored.com (PID: 8)
    • Reads the software policy settings

      • Stored.com (PID: 8)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:20:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 511488
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start set_up.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA stored.com choice.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
8Stored.com U C:\Users\admin\AppData\Local\Temp\516983\Stored.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\516983\stored.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
188findstr /V "ProposedKellyChampionCouldMinistryPhotographersNotFruit" Permitted C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356cmd /c copy /b ..\Imposed + ..\Wellington + ..\Object + ..\Installations + ..\Loaded + ..\Hdtv U C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1744choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1804tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2972"C:\Windows\System32\cmd.exe" /c copy Figured Figured.cmd && Figured.cmdC:\Windows\SysWOW64\cmd.exe
SET_UP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3612cmd /c md 516983C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4132"C:\Users\admin\Desktop\SET_UP.exe" C:\Users\admin\Desktop\SET_UP.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\set_up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 972
Read events
3 972
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
16
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Hadbinary
MD5:8402510886C8CEB4FD093BBAFA8F452B
SHA256:68B1859430203661F8D31A767909364F645DA1944D6FD0C4CD4EA79C2F2C6212
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Installationspgc
MD5:D028BA6B6939326C7BD30516E21E4FF4
SHA256:7C1AA8EC4C791E4DB7CE1D95DB8C9DF75BAAC3BFB0CB0F1EC56064C88D09BC0D
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Locatorabr
MD5:85E9FAB9AB9A2CE1935F980078995C7B
SHA256:0392E54997947D4E6AC2A5A919F18699DB82524DA641AA913B9E360BB2A1D7DF
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Permittedbinary
MD5:443F5628E48F754B7751D344B9C4C88A
SHA256:5339E4495D03B9301B7D15424DB91B68B7E84B3DCF769B5F44B7CAF7FAB66DE4
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Wellingtonbinary
MD5:AB319D86C37B8A1B5047A79E81E84D68
SHA256:C3727398B660769E90B49D96923F416FB392C866560A59CEFC7F1AA7C2ECE9BA
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Suicidebinary
MD5:1EE9DAEEF21C43336AE8626E9335BEB5
SHA256:DAB4963BCAFDA1A1E3FCEE0678F1B77B8440DA6E6F04A3CB858AD37101ABFE3D
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Loadedbinary
MD5:194D767A9BD549B3EFF27DB877EBD9CA
SHA256:346233781898FC1BD9B8187DBE79C86F50B51466340D398B8044F0F42B379A72
4132SET_UP.exeC:\Users\admin\AppData\Local\Temp\Transportmp3
MD5:29310511E646A9DB8EC20112F750205A
SHA256:92572FF759F59420EB6EF712DC8DB8469C63425F0B2AB5798EBB19370FFB61E1
2972cmd.exeC:\Users\admin\AppData\Local\Temp\516983\Stored.comexecutable
MD5:3DEC208B512C5ADCD445D7FD80F11B8A
SHA256:8CA3A132A9B953C94813C736CC7A911D5C7792E19126E37DEC064BAD1B1454A7
2972cmd.exeC:\Users\admin\AppData\Local\Temp\Figured.cmdtext
MD5:21350FCCD60418B01CF83AC826AA31E9
SHA256:BE21F7CA2001511FBC3E0E43312F8649E83037EBF098682D5FA1D290E62BF470
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
172.67.216.241:443
https://futipoy.shop/api
unknown
text
2 b
unknown
POST
200
172.67.216.241:443
https://futipoy.shop/api
unknown
text
14 b
unknown
POST
200
172.67.216.241:443
https://futipoy.shop/api
unknown
text
14 b
unknown
POST
200
104.21.78.51:443
https://futipoy.shop/api
unknown
text
20.4 Kb
unknown
POST
200
172.67.216.241:443
https://futipoy.shop/api
unknown
text
140 b
unknown
POST
200
104.21.78.51:443
https://futipoy.shop/api
unknown
text
14 b
unknown
POST
200
172.67.216.241:443
https://futipoy.shop/api
unknown
text
14 b
unknown
POST
200
104.21.78.51:443
https://futipoy.shop/api
unknown
text
14 b
unknown
POST
200
104.21.78.51:443
https://futipoy.shop/api
unknown
text
14 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.168.100.255:138
whitelisted
8
Stored.com
172.67.216.241:443
futipoy.shop
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.189
  • 2.23.209.133
whitelisted
google.com
  • 142.250.185.78
whitelisted
trxBhEXoOi.trxBhEXoOi
unknown
futipoy.shop
  • 172.67.216.241
  • 104.21.78.51
unknown
klipcatepiu0.shop
unknown
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (klipcatepiu0 .shop)
No debug info