File name:

lusetup.exe

Full analysis: https://app.any.run/tasks/74f1c29b-88b8-4818-a62e-a57d4e1711a8
Verdict: Malicious activity
Analysis date: June 24, 2024, 17:21:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2166BD90356070778BA696115AAC2A2A

SHA1:

5282D2AF33E7BB6D003F7C15277FED1E848CBAD3

SHA256:

A5146383D0E22F6EEE7F8D11AF0DEDCDEDCED9C4DFC40A9B7FED4F8B7AD11CED

SSDEEP:

98304:7Q4vYZdx5z0BnCmksXOVTB+XWdvKGcTfEVsOMniEMyJ98HIQG8yGVoFuExtX5LEY:7sxyv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • lusetup.exe (PID: 3208)
      • lusetup.exe (PID: 3348)

    • Application launched itself

      • lusetup.exe (PID: 3348)

    • Creates a software uninstall entry

      • lusetup.exe (PID: 3208)

  • INFO

    • Reads the computer name

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Checks supported languages

      • lusetup.exe (PID: 3348)
      • lusetup.exe (PID: 3208)

    • Process checks whether UAC notifications are on

      • lusetup.exe (PID: 3348)

    • Reads the machine GUID from the registry

      • lusetup.exe (PID: 3208)

    • Create files in a temporary directory

      • lusetup.exe (PID: 3208)
      • lusetup.exe (PID: 3348)

    • Creates files in the program directory

      • lusetup.exe (PID: 3208)

    • Manual execution by a user

      • explorer.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 26624
InitializedDataSize: 475136
UninitializedDataSize: 16896
EntryPoint: 0x3415
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.19
ProductVersionNumber: 1.0.0.19
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Samsung Electronics Co., Ltd.
FileDescription: Samsung Printer Live Update
FileVersion: 1.01.00.04
LegalCopyright: (c) <Samsung Electronics>. All rights reserved.
ProductName: Samsung Printer Live Update
ProductVersion: 1.01.00.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lusetup.exe lusetup.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3208"C:\Users\admin\AppData\Local\Temp\lusetup.exe" /UAC:80198 /NCRC C:\Users\admin\AppData\Local\Temp\lusetup.exe
lusetup.exe
User:
admin
Company:
Samsung Electronics Co., Ltd.
Integrity Level:
HIGH
Description:
Samsung Printer Live Update
Exit code:
0
Version:
1.01.00.04
Modules
Images
c:\users\admin\appdata\local\temp\lusetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3348"C:\Users\admin\AppData\Local\Temp\lusetup.exe" C:\Users\admin\AppData\Local\Temp\lusetup.exe
explorer.exe
User:
admin
Company:
Samsung Electronics Co., Ltd.
Integrity Level:
MEDIUM
Description:
Samsung Printer Live Update
Exit code:
0
Version:
1.01.00.04
Modules
Images
c:\users\admin\appdata\local\temp\lusetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
4 910
Read events
4 893
Write events
17
Delete events
0

Modification events

(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Samsung\LiveUpdateInstaller
Operation:writeName:Path
Value:
C:\Program Files\SamsungPrinterLiveUpdate
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Samsung\SamsungPrinterLiveUpdate
Operation:writeName:LUManager
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\LUMgr.exe
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayName
Value:
Samsung Printer Live Update
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:Publisher
Value:
Samsung Electronics Co., Ltd.
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\LUpdate.ico
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:Description
Value:
Live Update checks the installed versions of samsung printer software over a period of time and updates them.
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:UninstallString
Value:
C:\Program Files\SamsungPrinterLiveUpdateInstaller\uninstall.exe
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:UninstallString_SamsungSilent
Value:
"C:\Program Files\SamsungPrinterLiveUpdateInstaller\uninstall.exe" /S
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:DisplayVersion
Value:
1.01.00:04(2013-04-22)
(PID) Process:(3208) lusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Samsung Printer Live Update
Operation:writeName:NoModify
Value:
1
Executable files
17
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdateInstaller\LUMgr.exeexecutable
MD5:8FF586D02536D460BB020D4B400DBA61
SHA256:D67197BF407E74ECD77BE89D0DA107D5F7D37C21BDF55456C6B57DF65CF429B3
3208lusetup.exeC:\Users\admin\AppData\Local\Temp\nsuE905.tmp\modern-header.bmpimage
MD5:EFD0D411591950DB0A056C0BFDB48C1E
SHA256:22E6EE79BCE71831BCAA1847741D3C35D78F1EC5C9958CB1DB9A64EDFFE174FC
3208lusetup.exeC:\Users\admin\AppData\Local\Temp\nsuE905.tmp\UAC.dllexecutable
MD5:113C5F02686D865BC9E8332350274FD1
SHA256:0D21041A1B5CD9F9968FC1D457C78A802C9C5A23F375327E833501B65BCD095D
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdateInstaller\SSMUIDLL.dllexecutable
MD5:13DA27936795C457C11CCB1975D89E15
SHA256:1B1DBDB50117B2063032614F8B0057E4826B6CB8901B2FE0FA56F81346CB338D
3348lusetup.exeC:\Users\admin\AppData\Local\Temp\nstE646.tmp\System.dllexecutable
MD5:959EA64598B9A3E494C00E8FA793BE7E
SHA256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\MPS.dllexecutable
MD5:E1329C7BA2E7A55157FBBCA1E7941572
SHA256:1341FC025A55357886E32ED63D00A166FEAB6DF81E2530BA12B4802CE62061E0
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdateInstaller\LUMgr.trstext
MD5:8CE3BE88052C64EAFAEF3FFDF0EAF436
SHA256:71C15C62D035C92A929703289200ED0120400065EDA5C73D5ED7DE1B5D94F4A4
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\LUpdate.exeexecutable
MD5:791340341B32172AAEC849578A6D18E1
SHA256:D639F6DCB679E37313AEE0C442EDCD9A1FF37B0B5C032720948553B921FE0168
3348lusetup.exeC:\Users\admin\AppData\Local\Temp\nstE646.tmp\UAC.dllexecutable
MD5:113C5F02686D865BC9E8332350274FD1
SHA256:0D21041A1B5CD9F9968FC1D457C78A802C9C5A23F375327E833501B65BCD095D
3208lusetup.exeC:\Program Files\SamsungPrinterLiveUpdate\SP_ConnRes.dllexecutable
MD5:A528FF7D567034F86AC1A52112CDB3E4
SHA256:FC7B90FFC91B1950E71CF94CF25947E71786C12E798FDCEFC0E833B19348D294
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
23.50.131.215:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
23.50.131.203:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
23.50.131.215:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.203
  • 23.50.131.209
  • 23.50.131.206
  • 23.50.131.216
  • 23.50.131.215
  • 23.50.131.208
  • 23.50.131.214
  • 23.50.131.199
  • 23.50.131.220
  • 23.50.131.207
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lusetup.exe