Malware analysis Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/36bf3af6-7bc7-422b-b485-ee62fcc5f5a7
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 21, 2024, 00:44:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	hijackloader loader lumma stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:	60250D444207E665A278070A76DC811C
SHA1:	306DD3DDEA6D5DA2A4D10E1B85DA1D9E5F2E05E5
SHA256:	979F393C1F1EF1D302B93004DE949810B98FD2544E3CECA2630FA1A60D159C65
SSDEEP:	98304:U+FNSy3lQB/R60c1kPMkEJrcLgIh7buT7FfjFYh9oxlo7ODrtoifS9bUhsva7l+E:v0gicU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Setup.exe (PID: 2116)
  - rta.exe (PID: 6348)
  - Setup.exe (PID: 6940)
  - PoplarNegligee.pif (PID: 8044)
  - cmd.exe (PID: 1764)
  - Bush.pif (PID: 3628)
- LUMMA has been detected (YARA)
  - netsh.exe (PID: 7636)
  - netsh.exe (PID: 6576)
- HIJACKLOADER has been detected (YARA)
  - netsh.exe (PID: 7636)
  - netsh.exe (PID: 6576)
- LUMMA has been detected (SURICATA)
  - PoplarNegligee.pif (PID: 8044)
- Stealers network behavior
  - PoplarNegligee.pif (PID: 8044)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 5720)
  - findstr.exe (PID: 2868)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 6688)
- Create files in the Startup directory
  - cmd.exe (PID: 5244)
- Changes powershell execution policy (Bypass)
  - PoplarNegligee.pif (PID: 8044)
- Actions looks like stealing of personal data
  - PoplarNegligee.pif (PID: 8044)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 5464)
  - powershell.exe (PID: 7464)
SUSPICIOUS
- Process drops legitimate windows executable
  - Setup.exe (PID: 2116)
  - rta.exe (PID: 6348)
  - Setup.exe (PID: 6940)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 2116)
  - rta.exe (PID: 6348)
  - Setup.exe (PID: 6940)
  - netsh.exe (PID: 7636)
  - PoplarNegligee.pif (PID: 8044)
  - cmd.exe (PID: 1764)
  - Bush.pif (PID: 3628)
- The process drops C-runtime libraries
  - Setup.exe (PID: 2116)
  - rta.exe (PID: 6348)
  - Setup.exe (PID: 6940)
- Suspicious use of NETSH.EXE
  - rta.exe (PID: 6348)
  - rta.exe (PID: 2860)
- Drops a file with a rarely used extension (PIF)
  - netsh.exe (PID: 7636)
  - Bush.pif (PID: 3628)
  - cmd.exe (PID: 1764)
- Starts application with an unusual extension
  - netsh.exe (PID: 6576)
  - netsh.exe (PID: 7636)
  - cmd.exe (PID: 1764)
- Get information on the list of running processes
  - cmd.exe (PID: 1764)
- Starts CMD.EXE for commands execution
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
  - cmd.exe (PID: 1764)
  - O69NELIRKI2JXE6H90FSHNDP22SUI2E.exe (PID: 6440)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 1764)
- Searches for installed software
  - PoplarNegligee.pif (PID: 8044)
- Reads security settings of Internet Explorer
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
- Reads the date of Windows installation
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
- Executing commands from ".cmd" file
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
- Suspicious file concatenation
  - cmd.exe (PID: 6880)
- The executable file from the user directory is run by the CMD process
  - Bush.pif (PID: 3628)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 1764)
- Application launched itself
  - cmd.exe (PID: 1764)
- The process executes Powershell scripts
  - PoplarNegligee.pif (PID: 8044)
- Starts POWERSHELL.EXE for commands execution
  - PoplarNegligee.pif (PID: 8044)
INFO
- Checks supported languages
  - Setup.exe (PID: 2116)
  - rta.exe (PID: 6348)
  - Bt.exe (PID: 6928)
  - Setup.exe (PID: 6940)
  - rta.exe (PID: 2860)
  - Bt.exe (PID: 7032)
  - PoplarNegligee.pif (PID: 8044)
  - PoplarNegligee.pif (PID: 6176)
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
  - Bush.pif (PID: 3628)
  - O69NELIRKI2JXE6H90FSHNDP22SUI2E.exe (PID: 6440)
- Create files in a temporary directory
  - Setup.exe (PID: 2116)
  - Setup.exe (PID: 6940)
  - netsh.exe (PID: 7636)
  - rta.exe (PID: 6348)
  - rta.exe (PID: 2860)
  - netsh.exe (PID: 6576)
  - PoplarNegligee.pif (PID: 8044)
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
  - O69NELIRKI2JXE6H90FSHNDP22SUI2E.exe (PID: 6440)
- Reads the computer name
  - rta.exe (PID: 6348)
  - Bt.exe (PID: 6928)
  - rta.exe (PID: 2860)
  - Bt.exe (PID: 7032)
  - PoplarNegligee.pif (PID: 8044)
  - PoplarNegligee.pif (PID: 6176)
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
  - Bush.pif (PID: 3628)
  - O69NELIRKI2JXE6H90FSHNDP22SUI2E.exe (PID: 6440)
- Creates files or folders in the user directory
  - rta.exe (PID: 6348)
  - Bush.pif (PID: 3628)
- Manual execution by a user
  - Setup.exe (PID: 6940)
  - cmd.exe (PID: 6688)
  - cmd.exe (PID: 5244)
- Drops the executable file immediately after the start
  - netsh.exe (PID: 7636)
- Reads the software policy settings
  - PoplarNegligee.pif (PID: 8044)
- Process checks computer location settings
  - 8NTHES43T8MUJ6M8A.exe (PID: 7404)
- Reads mouse settings
  - Bush.pif (PID: 3628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Lumma

(PID) Process(7636) netsh.exe

C2 (9)upknittsoappz.shop

callosallsaospz.shop

outpointsozp.shop

shepherdlyopzc.shop

unseaffarignsk.shop

accessibledpzp.shop

indexterityszcoxp.shop

liernessfornicsa.shop

lariatedzugspd.shop

(PID) Process(6576) netsh.exe

C2 (9)upknittsoappz.shop

callosallsaospz.shop

outpointsozp.shop

shepherdlyopzc.shop

unseaffarignsk.shop

accessibledpzp.shop

indexterityszcoxp.shop

liernessfornicsa.shop

lariatedzugspd.shop

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (25)
.exe	\|	Win32 EXE PECompact compressed (generic) (24.2)
.exe	\|	Win32 Executable MS Visual C++ (generic) (18.1)
.exe	\|	Win64 Executable (generic) (16)
.scr	\|	Windows screen saver (7.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:06:26 19:41:05+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.38
CodeSize:	40960
InitializedDataSize:	51200
UninitializedDataSize:	295936
EntryPoint:	0x4b62
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

173

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

844

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

884

findstr /V "DEUTSCHCOMEDYCONDITIONSMINDS" Clips

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll

1212

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1284

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1764

"C:\Windows\System32\cmd.exe" /k copy Nerve Nerve.cmd & Nerve.cmd & exit

C:\Windows\SysWOW64\cmd.exe

8NTHES43T8MUJ6M8A.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

2116

"C:\Users\admin\Desktop\Setup.exe"

C:\Users\admin\Desktop\Setup.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

2704

cmd /c md 484309

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

2860

"C:\Users\admin\AppData\Local\Temp\nsyBBED.tmp\rta.exe"

C:\Users\admin\AppData\Local\Temp\nsyBBED.tmp\rta.exe

—

Setup.exe

User:

admin

Company:

IncrediMail, Ltd.

Integrity Level:

MEDIUM

Description:

IncrediMail Notifier

Exit code:

Version:

6, 3, 9, 5274

Modules

Images
c:\users\admin\appdata\local\temp\nsybbed.tmp\rta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2868

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll

3628

484309\Bush.pif 484309\g

C:\Users\admin\AppData\Local\Temp\484309\Bush.pif

cmd.exe

User:

admin

Company:

AutoIt Team

Integrity Level:

MEDIUM

Description:

AutoIt v3 Script

Version:

3, 3, 14, 4

Modules

Images
c:\users\admin\appdata\local\temp\484309\bush.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

17 580

Read events

17 570

Write events

Delete events

Modification events


(PID) Process:	(6348) rta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\IncrediMail
Operation:	write	Name:	ApplicationPath
Value: C:\Users\admin\AppData\Local\IM
(PID) Process:	(6348) rta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\IncrediMail
Operation:	write	Name:	ApplicationPathBackup
Value: C:\Users\admin\AppData\Local\IM
(PID) Process:	(7404) 8NTHES43T8MUJ6M8A.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7404) 8NTHES43T8MUJ6M8A.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7404) 8NTHES43T8MUJ6M8A.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7404) 8NTHES43T8MUJ6M8A.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\plugins\Microsoft.VisualStudio.VsWebProtocol		executable
		MD5:91ACF072FE60B3EF9867FAEC1A7A8CB0	SHA256:1F49ADC807A564E7C1ECF32F58074A1230A6FE4764E8F54CE7FFA8C2E880DCCA
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\libvlc.dll		executable
		MD5:96214B94B796BFFC48D63289854AE5A2	SHA256:528C416CFB4813EE5F1DA52743EF4ADB20043171230098B27E25D1DD90E3F288
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\plugins\StartupHelper		executable
		MD5:14934CACA84D5FE0288F27EFB31DCBF8	SHA256:7FA86147035627BAE39576BCBE619D045E94A48C4DB8CA131968C20BB4DE4A36
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\plugins\NvStWiz		executable
		MD5:9E82E3B658393BED3F7E4F090DF1FBE7	SHA256:C2AD5BD189DF04B39BE18DEC5CD251CF79B066010706AD26D99DF7E49FD07762
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\plugins\lang-1058.dll		executable
		MD5:41C75E831A5571C3F72287794391A0E6	SHA256:B3AD99AFDAEE3B9365E7A3FFCC44C2761E22A4F92DFF5E5EFDC52F6B08EA0105
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\plugins\lang-1049.dll		executable
		MD5:0AC98A4BFC717523E344010A42C2F4BA	SHA256:68546336232AA2BE277711AFA7C1F08ECD5FCC92CC182F90459F0C61FB39507F
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\libvlccore.dll		executable
		MD5:E25413BB41C2F239FFDD3569F76E74B0	SHA256:9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\ImNtUtilU.dll		executable
		MD5:BB326FE795E2C1C19CD79F320E169FD3	SHA256:A8E1B0E676DCE9556037D29FD96521EC814858404BA4CFDD0DB0EDBE22C87BC7
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\mfc80u.dll		executable
		MD5:CCC2E312486AE6B80970211DA472268B	SHA256:18BE5D3C656236B7E3CD6D619D62496FE3E7F66BF2859E460F8AC3D1A6BDAA9A
2116	Setup.exe	C:\Users\admin\AppData\Local\Temp\nss955A.tmp\ImWrappU.dll		executable
		MD5:CBF4827A5920A5F02C50F78ED46D0319	SHA256:7187903A9E4078F4D31F4B709A59D24EB6B417EA289F4F28EABCE1EA2E713DCE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4716	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2760	svchost.exe	40.113.103.199:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3404	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4716	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	20.190.159.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
login.live.com	20.190.159.64 20.190.159.0 40.126.31.69 40.126.31.73 20.190.159.68 20.190.159.4 20.190.159.23 20.190.159.71 20.190.159.2 40.126.31.71	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
www.bing.com	104.126.37.136 104.126.37.139 104.126.37.163 104.126.37.178 104.126.37.171 104.126.37.130 104.126.37.131	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted
accessibledpzp.shop	188.114.96.3 188.114.97.3	unknown

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
—	—	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
—	—	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)

Add for printing

No debug info

General Info

Setup.exe

60250D444207E665A278070A76DC811C

306DD3DDEA6D5DA2A4D10E1B85DA1D9E5F2E05E5

979F393C1F1EF1D302B93004DE949810B98FD2544E3CECA2630FA1A60D159C65

98304:U+FNSy3lQB/R60c1kPMkEJrcLgIh7buT7FfjFYh9oxlo7ODrtoifS9bUhsva7l+E:v0gicU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

LUMMA has been detected (YARA)

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (SURICATA)

Stealers network behavior

Antivirus name has been found in the command line (generic signature)

Uses Task Scheduler to run other applications

Create files in the Startup directory

Changes powershell execution policy (Bypass)

Actions looks like stealing of personal data

Bypass execution policy to execute commands

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Suspicious use of NETSH.EXE

Drops a file with a rarely used extension (PIF)

Starts application with an unusual extension

Get information on the list of running processes

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Searches for installed software

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executing commands from ".cmd" file

Suspicious file concatenation

The executable file from the user directory is run by the CMD process

Uses TIMEOUT.EXE to delay execution

Application launched itself

The process executes Powershell scripts

Starts POWERSHELL.EXE for commands execution

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Creates files or folders in the user directory

Manual execution by a user

Drops the executable file immediately after the start

Reads the software policy settings

Process checks computer location settings

Reads mouse settings

Malware configuration

Lumma

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules