| File name: | random.exe |
| Full analysis: | https://app.any.run/tasks/367dad92-abdd-4305-80b2-4421b096fd1a |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | May 17, 2025, 02:29:40 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 66B68301B8E02391AEFC1257A83D98C2 |
| SHA1: | 5209FAC424FF3BFC148E0738076D693B2D366E0F |
| SHA256: | 87B22DC6E19D8AE5D0A41560D6DB0B3D7AE69A6E6A147FB5114B30DDF7710ACE |
| SSDEEP: | 49152:3lWn+dP1n/9OONHghOumYd9nTD0bM1ziv00LATO2bvQ3ffK1nPhH9zyAGt6Bn+zU:4UPlVOMMzTww1zMVATPzwHKdPhRat6BP |
MALICIOUS
Executing a file with an untrusted certificate
- random.exe (PID: 5512)
Create files in the Startup directory
- cmd.exe (PID: 3956)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2196)
- Invision.com (PID: 960)
AutoIt loader has been detected (YARA)
- Invision.com (PID: 960)
Connects to the CnC server
- svchost.exe (PID: 2196)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2284)
LUMMA mutex has been found
- Invision.com (PID: 960)
SUSPICIOUS
Starts CMD.EXE for commands execution
- random.exe (PID: 5512)
- cmd.exe (PID: 1660)
Get information on the list of running processes
- cmd.exe (PID: 1660)
Reads security settings of Internet Explorer
- random.exe (PID: 5512)
Executing commands from a ".bat" file
- random.exe (PID: 5512)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1660)
Application launched itself
- cmd.exe (PID: 1660)
Starts application with an unusual extension
- cmd.exe (PID: 1660)
The executable file from the user directory is run by the CMD process
- Invision.com (PID: 960)
Starts the AutoIt3 executable file
- cmd.exe (PID: 1660)
There is functionality for taking screenshot (YARA)
- Invision.com (PID: 960)
- random.exe (PID: 5512)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2196)
- Invision.com (PID: 960)
Executable content was dropped or overwritten
- Invision.com (PID: 960)
Searches for installed software
- Invision.com (PID: 960)
INFO
Checks supported languages
- Invision.com (PID: 960)
- random.exe (PID: 5512)
- extrac32.exe (PID: 5544)
Reads the computer name
- random.exe (PID: 5512)
- extrac32.exe (PID: 5544)
- Invision.com (PID: 960)
Process checks computer location settings
- random.exe (PID: 5512)
Create files in a temporary directory
- random.exe (PID: 5512)
- extrac32.exe (PID: 5544)
Creates a new folder
- cmd.exe (PID: 4024)
Reads mouse settings
- Invision.com (PID: 960)
Creates files or folders in the user directory
- Invision.com (PID: 960)
The sample compiled with english language support
- Invision.com (PID: 960)
Manual execution by a user
- wscript.exe (PID: 6488)
- cmd.exe (PID: 2284)
- cmd.exe (PID: 3956)
Auto-launch of the file from Startup directory
- cmd.exe (PID: 3956)
Auto-launch of the file from Task Scheduler
- cmd.exe (PID: 2284)
Reads the machine GUID from the registry
- Invision.com (PID: 960)
Checks proxy server information
- slui.exe (PID: 1328)
Reads the software policy settings
- slui.exe (PID: 1328)
- Invision.com (PID: 960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:04:10 12:19:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 25600 |
| InitializedDataSize: | 431104 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x33e9 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
148
Monitored processes
22
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 728 | findstr /V "view" Maintained | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 960 | Invision.com h | C:\Users\admin\AppData\Local\Temp\690935\Invision.com | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script (Beta) Exit code: 0 Version: 3, 3, 15, 5 Modules
| |||||||||||||||
| 1276 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1328 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | "C:\WINDOWS\System32\CMd.eXe" /c copy Perth.hopp Perth.hopp.bat & Perth.hopp.bat | C:\Windows\SysWOW64\cmd.exe | — | random.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2284 | cmd /c schtasks.exe /create /tn "Architect" /tr "wscript //B 'C:\Users\admin\AppData\Local\CryptoImageSyncPro Innovations Co\CryptoImageSyncProX.js'" /sc minute /mo 5 /F | C:\Windows\SysWOW64\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2504 | schtasks.exe /create /tn "Architect" /tr "wscript //B 'C:\Users\admin\AppData\Local\CryptoImageSyncPro Innovations Co\CryptoImageSyncProX.js'" /sc minute /mo 5 /F | C:\Windows\SysWOW64\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3300 | findstr /I "opssvc wrsa" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3956 | cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoImageSyncProX.url" & echo URL="C:\Users\admin\AppData\Local\CryptoImageSyncPro Innovations Co\CryptoImageSyncProX.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoImageSyncProX.url" & exit | C:\Windows\SysWOW64\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 416
Read events
7 416
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
22
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1660 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Perth.hopp.bat | text | |
MD5:79A356B528DAD904B698A2BF362AA590 | SHA256:DDD791F5E7DDC62593D8C7B77AFCB2AF25D1AFEDE21FD70C96D35B5564152651 | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Reached.hopp | binary | |
MD5:3415802C93458081B1C9DF2499A3ADFC | SHA256:47D4EC181A2A6DEFD1EA24BF6BE135B8831616EF8E2D032913191A237E8006E3 | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Ron.hopp | binary | |
MD5:7EA446699BAECCBD94F730E911556EB4 | SHA256:A5DF8C75380005A4718DD7028975261E5E9816C923373F7301DCAABB99D33FC8 | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Rendering.hopp | binary | |
MD5:0A01134A1949C121F8ED8F519D746EBA | SHA256:A8C3033F598E30CD066975659C17582047B15765C3E444647D8047338BF8748F | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Wednesday.hopp | binary | |
MD5:695B8CFB142660AE5B70FAF73B74AC8A | SHA256:C7EA0B7EF57B6011B750B3A23F79390D723B5B4329693A217ACB23B7C61707D0 | |||
| 5544 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\Panasonic | binary | |
MD5:B8ECAAF2D4C688701B9D31C792056BF0 | SHA256:AE19A6924532D7C73C104E5A112683745FBDEB5E11B9814A802B33366249BD26 | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Perth.hopp | text | |
MD5:79A356B528DAD904B698A2BF362AA590 | SHA256:DDD791F5E7DDC62593D8C7B77AFCB2AF25D1AFEDE21FD70C96D35B5564152651 | |||
| 5544 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\Maintained | binary | |
MD5:EC4D8A4DDE3E3691FDAD11B0899BD03D | SHA256:7BE59A2BB7E25FF5574ED3F614E01FF124EF6470C805ABD2F3B5DFAA8FB2739B | |||
| 5512 | random.exe | C:\Users\admin\AppData\Local\Temp\Header.hopp | compressed | |
MD5:BC7E914F416BEA12F810553A713701EB | SHA256:9107B3936B2E85A4FF5DFA70CF1AAB1D89BDCCAB0A2B1C6CF7C1E1C0F94BDA4B | |||
| 5544 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\Gale | binary | |
MD5:01A0C75F3A25B68AE6D57115ED6F4D86 | SHA256:913E6685A95272EE523531C9D68D5B77E90DC4EF73636B1FCEAA288353F291FC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
47
DNS requests
31
Threats
13
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
6724 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.31.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6516 | SIHClient.exe | 4.175.87.197:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6516 | SIHClient.exe | 52.165.164.15:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
VXvkGfcqqqZjxN.VXvkGfcqqqZjxN |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
macjajm.digital |
| unknown |
flowerexju.bet |
| malicious |
zmedtipp.live |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (easterxeen .run) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zmedtipp .live) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flowerexju .bet) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (araucahkbm .live) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (macjajm .digital) |
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (araucahkbm .live) |
960 | Invision.com | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (overcovtcg .top) |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |