File name:

DogusignReader1.26g.msi

Full analysis: https://app.any.run/tasks/4bf36241-2e39-4e28-85cf-730aa73a87db
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: January 10, 2025, 18:08:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
lumma
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Palsgravine, Author: Chaplainry Strudel, Keywords: Installer, Comments: This installer database contains the logic and data required to install Palsgravine., Template: Intel;1033, Revision Number: {823F9B91-5B1C-4363-89EB-5E534851E2CD}, Create Time/Date: Fri Jan 10 04:07:28 2025, Last Saved Time/Date: Fri Jan 10 04:07:28 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
MD5:

35F774E65E57F419FFF8D8F74945EA51

SHA1:

C3E1D2D50A9BBCA445576E0D71C6984CC1DC60BB

SHA256:

D00A3E22E53210ACBD5C3E39B85332E3D47C8EC001D2BBF7A13ABB07427BBBA2

SSDEEP:

98304:u6Q1TY/CdEG26wjPcEU9Z3eWXCiifD9sjT9abLW1WwqsZydr4oor437Ae5AKqSK3:UK/+bHYenoRPGg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • LUMMA mutex has been found

      • explorer.exe (PID: 3988)
    • Connects to the CnC server

      • explorer.exe (PID: 3836)
  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 1544)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3092)
    • Executable content was dropped or overwritten

      • RttHlp.exe (PID: 5036)
      • RttHlp.exe (PID: 5472)
    • Starts itself from another location

      • RttHlp.exe (PID: 5472)
      • RttHlp.exe (PID: 5036)
    • Connects to unusual port

      • explorer.exe (PID: 3836)
    • Starts CMD.EXE for commands execution

      • RttHlp.exe (PID: 5036)
      • RttHlp.exe (PID: 3172)
    • Connects to the server without a host name

      • explorer.exe (PID: 3836)
  • INFO

    • Manages system restore points

      • SrTasks.exe (PID: 776)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3092)
    • The sample compiled with english language support

      • RttHlp.exe (PID: 5472)
      • msiexec.exe (PID: 556)
      • RttHlp.exe (PID: 5036)
      • msiexec.exe (PID: 3092)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 3092)
    • Reads the computer name

      • RttHlp.exe (PID: 5472)
      • msiexec.exe (PID: 3092)
      • RttHlp.exe (PID: 3172)
    • Checks supported languages

      • RttHlp.exe (PID: 5036)
      • msiexec.exe (PID: 3092)
      • RttHlp.exe (PID: 3172)
    • Reads the software policy settings

      • explorer.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Palsgravine
Author: Chaplainry Strudel
Keywords: Installer
Comments: This installer database contains the logic and data required to install Palsgravine.
Template: Intel;1033
RevisionNumber: {823F9B91-5B1C-4363-89EB-5E534851E2CD}
CreateDate: 2025:01:10 04:07:28
ModifyDate: 2025:01:10 04:07:28
Pages: 500
Words: 10
Software: WiX Toolset (4.0.0.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
14
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs rtthlp.exe rtthlp.exe rtthlp.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #LUMMA explorer.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\DogusignReader1.26g.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3092C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1544C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
776C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4540\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5472"C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe"C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe
msiexec.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
0
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\local\yarrow\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
5036C:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exeC:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
RttHlp.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
1
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\configremote_pz4\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3172C:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exeC:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exeRttHlp.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
1
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\configremote_pz4\yegpxjghgkzzaqphdpp\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2744C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exeRttHlp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 377
Read events
6 112
Write events
247
Delete events
18

Modification events

(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000428DFA9F8A63DB01140C000074130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000428DFA9F8A63DB01140C000074130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000008A1DB2A08A63DB01140C000074130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000008A1DB2A08A63DB01140C000074130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000044E5B6A08A63DB01140C000074130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000002C48B9A08A63DB01140C000074130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000005D6729A18A63DB01140C000074130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3092) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000024B82BA18A63DB01140C0000A8080000E80300000100000000000000000000003D41435EC885BB408E77AFC355C3748D00000000000000000000000000000000
(PID) Process:(1544) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000964735A18A63DB010806000034080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
9
Suspicious files
27
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3092msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3092msiexec.exeC:\Windows\Installer\13ba5a.msi
MD5:
SHA256:
3092msiexec.exeC:\Users\admin\AppData\Local\Yarrow\burro.ini
MD5:
SHA256:
3092msiexec.exeC:\Windows\Installer\13ba5c.msi
MD5:
SHA256:
3092msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{5e43413d-85c8-40bb-8e77-afc355c3748d}_OnDiskSnapshotPropbinary
MD5:B721F80AB6888D5F528B8A6C73FFF13B
SHA256:ECC8F3EBE3E9BA5015B2D517F70CC49FD2EAA86293FE046CC363516D068B49A6
3092msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:B721F80AB6888D5F528B8A6C73FFF13B
SHA256:ECC8F3EBE3E9BA5015B2D517F70CC49FD2EAA86293FE046CC363516D068B49A6
3092msiexec.exeC:\Windows\Temp\~DFB93F1AAAC95920B6.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3092msiexec.exeC:\Windows\Temp\~DF9411CF727B624A94.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3092msiexec.exeC:\Windows\Installer\MSIBC5E.tmpbinary
MD5:D07D49E0FBD449F15FC2FEAF032B5C39
SHA256:1702E5734A8382D9141B0D710E3D70060614C85F5399EF279BEDA9AC2D4DC7E1
3092msiexec.exeC:\Windows\Temp\~DF54223BD03E616474.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
29
DNS requests
8
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4128
svchost.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4128
svchost.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3836
explorer.exe
POST
200
46.8.232.106:80
http://46.8.232.106/
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
104.21.16.1:443
https://relaxanimanjk.rent/api
unknown
text
17 b
POST
200
104.21.48.1:443
https://relaxanimanjk.rent/api
unknown
text
18.3 Kb
POST
200
104.21.96.1:443
https://relaxanimanjk.rent/api
unknown
text
17 b
POST
200
104.21.32.1:443
https://relaxanimanjk.rent/api
unknown
text
17 b
POST
200
104.21.80.1:443
https://relaxanimanjk.rent/api
unknown
text
17 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4128
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4128
svchost.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4128
svchost.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.152
  • 2.16.204.148
  • 2.16.204.156
  • 2.16.204.157
  • 2.16.204.142
  • 2.16.204.143
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.150
  • 23.48.23.146
  • 23.48.23.161
  • 23.48.23.167
  • 23.48.23.162
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
relaxanimanjk.rent
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.96.1
  • 104.21.48.1
unknown
self.events.data.microsoft.com
  • 20.189.173.23
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
4 ETPRO signatures available at the full report
No debug info