File name:

lusetup.exe

Full analysis: https://app.any.run/tasks/74f1c29b-88b8-4818-a62e-a57d4e1711a8
Verdict: Malicious activity
Analysis date: June 24, 2024, 17:21:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2166BD90356070778BA696115AAC2A2A

SHA1:

5282D2AF33E7BB6D003F7C15277FED1E848CBAD3

SHA256:

A5146383D0E22F6EEE7F8D11AF0DEDCDEDCED9C4DFC40A9B7FED4F8B7AD11CED

SSDEEP:

98304:7Q4vYZdx5z0BnCmksXOVTB+XWdvKGcTfEVsOMniEMyJ98HIQG8yGVoFuExtX5LEY:7sxyv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • The process creates files with name similar to system file names

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Application launched itself

      • lusetup.exe (PID: 3348)

    • Executable content was dropped or overwritten

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Creates a software uninstall entry

      • lusetup.exe (PID: 3208)

  • INFO

    • Reads the computer name

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Checks supported languages

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Process checks whether UAC notifications are on

      • lusetup.exe (PID: 3348)

    • Create files in a temporary directory

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Creates files in the program directory

      • lusetup.exe (PID: 3208)

    • Reads the machine GUID from the registry

      • lusetup.exe (PID: 3208)

    • Manual execution by a user

      • explorer.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 26624
InitializedDataSize: 475136
UninitializedDataSize: 16896
EntryPoint: 0x3415
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.19
ProductVersionNumber: 1.0.0.19
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Samsung Electronics Co., Ltd.
FileDescription: Samsung Printer Live Update
FileVersion: 1.01.00.04
LegalCopyright: (c) <Samsung Electronics>. All rights reserved.
ProductName: Samsung Printer Live Update
ProductVersion: 1.01.00.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lusetup.exe lusetup.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3208"C:\Users\admin\AppData\Local\Temp\lusetup.exe" /UAC:80198 /NCRC C:\Users\admin\AppData\Local\Temp\lusetup.exe
lusetup.exe
User:
admin
Company:
Samsung Electronics Co., Ltd.
Integrity Level:
HIGH
Description:
Samsung Printer Live Update
Exit code:
0
Version:
1.01.00.04
Modules
Images
c:\users\admin\appdata\local\temp\lusetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3348"C:\Users\admin\AppData\Local\Temp\lusetup.exe" C:\Users\admin\AppData\Local\Temp\lusetup.exe
explorer.exe
User:
admin
Company:
Samsung Electronics Co., Ltd.
Integrity Level:
MEDIUM
Description:
Samsung Printer Live Update
Exit code:
0
Version:
1.01.00.04
Modules
Images
c:\users\admin\appdata\local\temp\lusetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
4 910
Read events
4 893
Write events
17
Delete events
0

Modification events

(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Samsung\LiveUpdateInstaller
Operation:writeName:Path
Value:
C:\Program Files\SamsungPrinterLiveUpdate
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Samsung\SamsungPrinterLiveUpdate
Operation:writeName:LUManager
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\LUMgr.exe
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayName
Value:
Samsung Printer Live Update
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:Publisher
Value:
Samsung Electronics Co., Ltd.
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\LUpdate.ico
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:Description
Value:
Live Update checks the installed versions of samsung printer software over a period of time and updates them.
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:UninstallString
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\uninstall.exe
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:UninstallString_SamsungSilent
Value:
"C:\Program Files\SamsungPrinterLiveUpdateInstaller\uninstall.exe" /S
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayVersion
Value:
1.01.00:04(2013-04-22)
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:NoModify
Value:
1
Executable files
17
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3348lusetup.exeC:\Users\admin\AppData\Local\Temp\nstE646.tmp\System.dllexecutable
MD5:959EA64598B9A3E494C00E8FA793BE7E
SHA256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
3208lusetup.exeC:\Users\admin\AppData\Local\Temp\nsuE905.tmp\System.dllexecutable
MD5:959EA64598B9A3E494C00E8FA793BE7E
SHA256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
3348lusetup.exeC:\Users\admin\AppData\Local\Temp\nstE646.tmp\UAC.dllexecutable
MD5:113C5F02686D865BC9E8332350274FD1
SHA256:0D21041A1B5CD9F9968FC1D457C78A802C9C5A23F375327E833501B65BCD095D
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\SP_Update.exeexecutable
MD5:67E5CEFACCAC086213917BBD7EADA1D3
SHA256:B53A2F2BE0DE383D2899229B5B8EE1E7B76523D3EDCA08B6DBEDE9950D0179E1
3208lusetup.exeC:\Users\admin\AppData\Local\Temp\nsuE905.tmp\InstallOptions.dllexecutable
MD5:67D8F4D5ACDB722E9CB7A99570B3DED1
SHA256:FA8DE036B1D9BB06BE383A82041966C73473FC8382D041FB5C1758F991AFEAE7
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\SecSNMPR.dllexecutable
MD5:857D0BD14E4EA068ACD9B79D240BA355
SHA256:F759C4B5D104E7628D4AFB46835C6FC58D1833566FE073C51649B50B2A826AB7
3208lusetup.exeC:\Users\admin\AppData\Local\Temp\nsuE905.tmp\ioSpecial.initext
MD5:6F98FCDA445825382121E480A64AE24C
SHA256:689A67B30946CBE12DCE92D17207EC0488E850A806BE608E6FB174F853F86B57
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\MPS.dllexecutable
MD5:E1329C7BA2E7A55157FBBCA1E7941572
SHA256:1341FC025A55357886E32ED63D00A166FEAB6DF81E2530BA12B4802CE62061E0
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\LUpdate.exeexecutable
MD5:791340341B32172AAEC849578A6D18E1
SHA256:D639F6DCB679E37313AEE0C442EDCD9A1FF37B0B5C032720948553B921FE0168
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\SP_ConnRes.dllexecutable
MD5:A528FF7D567034F86AC1A52112CDB3E4
SHA256:FC7B90FFC91B1950E71CF94CF25947E71786C12E798FDCEFC0E833B19348D294
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
23.50.131.215:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
23.50.131.203:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
23.50.131.215:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.203
  • 23.50.131.209
  • 23.50.131.206
  • 23.50.131.216
  • 23.50.131.215
  • 23.50.131.208
  • 23.50.131.214
  • 23.50.131.199
  • 23.50.131.220
  • 23.50.131.207
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lusetup.exe