File name: | DogusignReader1.26g.msi |
Full analysis: | https://app.any.run/tasks/4bf36241-2e39-4e28-85cf-730aa73a87db |
Verdict: | Malicious activity |
Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
Analysis date: | January 10, 2025, 18:08:04 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Palsgravine, Author: Chaplainry Strudel, Keywords: Installer, Comments: This installer database contains the logic and data required to install Palsgravine., Template: Intel;1033, Revision Number: {823F9B91-5B1C-4363-89EB-5E534851E2CD}, Create Time/Date: Fri Jan 10 04:07:28 2025, Last Saved Time/Date: Fri Jan 10 04:07:28 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
MD5: | 35F774E65E57F419FFF8D8F74945EA51 |
SHA1: | C3E1D2D50A9BBCA445576E0D71C6984CC1DC60BB |
SHA256: | D00A3E22E53210ACBD5C3E39B85332E3D47C8EC001D2BBF7A13ABB07427BBBA2 |
SSDEEP: | 98304:u6Q1TY/CdEG26wjPcEU9Z3eWXCiifD9sjT9abLW1WwqsZydr4oor437Ae5AKqSK3:UK/+bHYenoRPGg |
.msi | | | Microsoft Installer (100) |
---|
CodePage: | Windows Latin 1 (Western European) |
---|---|
Title: | Installation Database |
Subject: | Palsgravine |
Author: | Chaplainry Strudel |
Keywords: | Installer |
Comments: | This installer database contains the logic and data required to install Palsgravine. |
Template: | Intel;1033 |
RevisionNumber: | {823F9B91-5B1C-4363-89EB-5E534851E2CD} |
CreateDate: | 2025:01:10 04:07:28 |
ModifyDate: | 2025:01:10 04:07:28 |
Pages: | 500 |
Words: | 10 |
Software: | WiX Toolset (4.0.0.0) |
Security: | Read-only recommended |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
556 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\DogusignReader1.26g.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3092 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1544 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
776 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4540 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5472 | "C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe" | C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe | msiexec.exe | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: IObit RttHlp Exit code: 0 Version: 11.0.0.0 Modules
| |||||||||||||||
5036 | C:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe | C:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe | RttHlp.exe | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: IObit RttHlp Exit code: 1 Version: 11.0.0.0 Modules
| |||||||||||||||
3172 | C:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exe | C:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exe | — | RttHlp.exe | |||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: IObit RttHlp Exit code: 1 Version: 11.0.0.0 Modules
| |||||||||||||||
2744 | C:\WINDOWS\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe | — | RttHlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
536 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000428DFA9F8A63DB01140C000074130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000428DFA9F8A63DB01140C000074130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000008A1DB2A08A63DB01140C000074130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000008A1DB2A08A63DB01140C000074130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000044E5B6A08A63DB01140C000074130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 48000000000000002C48B9A08A63DB01140C000074130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
Operation: | write | Name: | LastIndex |
Value: 11 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 48000000000000005D6729A18A63DB01140C000074130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3092) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000024B82BA18A63DB01140C0000A8080000E80300000100000000000000000000003D41435EC885BB408E77AFC355C3748D00000000000000000000000000000000 | |||
(PID) Process: | (1544) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000964735A18A63DB010806000034080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
3092 | msiexec.exe | C:\Windows\Installer\13ba5a.msi | — | |
MD5:— | SHA256:— | |||
3092 | msiexec.exe | C:\Users\admin\AppData\Local\Yarrow\burro.ini | — | |
MD5:— | SHA256:— | |||
3092 | msiexec.exe | C:\Windows\Installer\13ba5c.msi | — | |
MD5:— | SHA256:— | |||
3092 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5e43413d-85c8-40bb-8e77-afc355c3748d}_OnDiskSnapshotProp | binary | |
MD5:B721F80AB6888D5F528B8A6C73FFF13B | SHA256:ECC8F3EBE3E9BA5015B2D517F70CC49FD2EAA86293FE046CC363516D068B49A6 | |||
3092 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:B721F80AB6888D5F528B8A6C73FFF13B | SHA256:ECC8F3EBE3E9BA5015B2D517F70CC49FD2EAA86293FE046CC363516D068B49A6 | |||
3092 | msiexec.exe | C:\Windows\Temp\~DFB93F1AAAC95920B6.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
3092 | msiexec.exe | C:\Windows\Temp\~DF9411CF727B624A94.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
3092 | msiexec.exe | C:\Windows\Installer\MSIBC5E.tmp | binary | |
MD5:D07D49E0FBD449F15FC2FEAF032B5C39 | SHA256:1702E5734A8382D9141B0D710E3D70060614C85F5399EF279BEDA9AC2D4DC7E1 | |||
3092 | msiexec.exe | C:\Windows\Temp\~DF54223BD03E616474.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4128 | svchost.exe | GET | 200 | 23.37.237.227:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.37.237.227:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4128 | svchost.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3836 | explorer.exe | POST | 200 | 46.8.232.106:80 | http://46.8.232.106/ | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 104.21.16.1:443 | https://relaxanimanjk.rent/api | unknown | text | 17 b | — |
— | — | POST | 200 | 104.21.48.1:443 | https://relaxanimanjk.rent/api | unknown | text | 18.3 Kb | — |
— | — | POST | 200 | 104.21.96.1:443 | https://relaxanimanjk.rent/api | unknown | text | 17 b | — |
— | — | POST | 200 | 104.21.32.1:443 | https://relaxanimanjk.rent/api | unknown | text | 17 b | — |
— | — | POST | 200 | 104.21.80.1:443 | https://relaxanimanjk.rent/api | unknown | text | 17 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 2.16.204.152:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4128 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4128 | svchost.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4128 | svchost.exe | 23.37.237.227:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.37.237.227:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
relaxanimanjk.rent |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |