File name:

WaveWindows.exe

Full analysis: https://app.any.run/tasks/379eff3e-77fa-44a3-9a15-4e0e2300aa5b
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: July 27, 2024, 12:54:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

FBA516AA20D970350DDE5C0791025A21

SHA1:

C85B74764024A8F5E1C23BB2D6D7AEB64EEB6529

SHA256:

A981C7F2408609655F00630D55566C119992DD51FEA323A26ABDC477C2D34F13

SSDEEP:

12288:ofctfphnfHty3YcAVVavIqC46Uzs9q1rbj50LJODDGDnEUIdvhsCSGigiRNvkDlE:oEpp9fHty3YcAVVawJ46UI9Grbj5o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WaveWindows.exe (PID: 4912)

    • Stealers network behavior

      • aspnet_regiis.exe (PID: 484)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2284)
      • aspnet_regiis.exe (PID: 484)

    • LUMMA has been detected (YARA)

      • aspnet_regiis.exe (PID: 484)

    • Actions looks like stealing of personal data

      • aspnet_regiis.exe (PID: 484)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WaveWindows.exe (PID: 4912)

    • Searches for installed software

      • aspnet_regiis.exe (PID: 484)

  • INFO

    • Checks supported languages

      • WaveWindows.exe (PID: 4912)
      • aspnet_regiis.exe (PID: 484)

    • Creates files or folders in the user directory

      • WaveWindows.exe (PID: 4912)

    • Reads the computer name

      • WaveWindows.exe (PID: 4912)
      • aspnet_regiis.exe (PID: 484)

    • Reads the machine GUID from the registry

      • aspnet_regiis.exe (PID: 484)

    • Reads the software policy settings

      • aspnet_regiis.exe (PID: 484)
      • slui.exe (PID: 6440)

    • Checks proxy server information

      • slui.exe (PID: 6440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(484) aspnet_regiis.exe
C2 (9)callosallsaospz.shop
kaminiasbbefow.shop
indexterityszcoxp.shop
lariatedzugspd.shop
upknittsoappz.shop
shepherdlyopzc.shop
outpointsozp.shop
liernessfornicsa.shop
unseaffarignsk.shop
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:26 17:43:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 363008
InitializedDataSize: 314880
UninitializedDataSize: -
EntryPoint: 0xae00a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.2.0.8
ProductVersionNumber: 1.2.0.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Adjectives which will randomly appear with a click
CompanyName: Tommy Share Inc.
FileDescription: Tommy Share Library
FileVersion: 1.2.0.8
InternalName: Kevin662Charlie.txt
LegalCopyright: Copyright © 2024
LegalTrademarks: Tommy Share Inc. Trademark
OriginalFileName: Kevin662Charlie.txt
ProductName: Tommy Share Suite Pro
ProductVersion: 1.2.0.8
AssemblyVersion: 1.2.0.8
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wavewindows.exe conhost.exe no specs #LUMMA aspnet_regiis.exe slui.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
484"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
WaveWindows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_regiis.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_regiis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Lumma
(PID) Process(484) aspnet_regiis.exe
C2 (9)callosallsaospz.shop
kaminiasbbefow.shop
indexterityszcoxp.shop
lariatedzugspd.shop
upknittsoappz.shop
shepherdlyopzc.shop
outpointsozp.shop
liernessfornicsa.shop
unseaffarignsk.shop
2284C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWaveWindows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4912"C:\Users\admin\Desktop\WaveWindows.exe" C:\Users\admin\Desktop\WaveWindows.exe
explorer.exe
User:
admin
Company:
Tommy Share Inc.
Integrity Level:
MEDIUM
Description:
Tommy Share Library
Exit code:
0
Version:
1.2.0.8
Modules
Images
c:\users\admin\desktop\wavewindows.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6440C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 507
Read events
7 507
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4912WaveWindows.exeC:\Users\admin\AppData\Roaming\d3d9.dllexecutable
MD5:B82390BEAF0A9A1C15BCD18E9C6421B6
SHA256:B1BE4815803DF50CBDD95896A8853A8D41020481C28D929839EEBA7B2EB5404D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
7
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
null:443
https://unseaffarignsk.shop/api
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
null:443
https://shepherdlyopzc.shop/api
unknown
text
2 b
POST
200
null:443
https://shepherdlyopzc.shop/api
unknown
text
16.5 Kb
POST
200
null:443
https://shepherdlyopzc.shop/api
unknown
text
16 b
POST
200
null:443
https://kaminiasbbefow.shop/api
unknown
text
17 b
POST
200
null:443
https://shepherdlyopzc.shop/api
unknown
text
16 b
6012
MoUsoCoreWorker.exe
POST
200
20.189.173.18:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
null:443
https://shepherdlyopzc.shop/api
unknown
text
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4236
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
132
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
131.253.33.254:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
996
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.6:443
Akamai International B.V.
DE
unknown
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
484
aspnet_regiis.exe
188.114.97.3:443
kaminiasbbefow.shop
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
kaminiasbbefow.shop
  • 188.114.97.3
  • 188.114.96.3
malicious
unseaffarignsk.shop
  • 188.114.96.3
  • 188.114.97.3
malicious
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
shepherdlyopzc.shop
  • 104.21.67.116
  • 172.67.221.214
malicious
self.events.data.microsoft.com
  • 20.189.173.18
whitelisted

Threats

PID
Process
Class
Message
484
aspnet_regiis.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
2284
svchost.exe
A Network Trojan was detected
ET MALWARE Lumma Stealer Domain in DNS Lookup (unseaffarignsk .shop)
484
aspnet_regiis.exe
A Network Trojan was detected
ET MALWARE Lumma Stealer Domain in TLS SNI (unseaffarignsk .shop)
484
aspnet_regiis.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
2284
svchost.exe
A Network Trojan was detected
ET MALWARE Lumma Stealer Domain in DNS Lookup (shepherdlyopzc .shop)
484
aspnet_regiis.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WaveWindows.exe