Malware analysis !!!Se-tUp_2277_Pa$Word!#!.zip Malicious activity

Add for printing

File name:	!!!Se-tUp_2277_Pa$Word!#!.zip
Full analysis:	https://app.any.run/tasks/ec0006fa-738c-4794-8c15-083c00ca16b6
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 01, 2024, 14:59:40
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lumma amadey botnet
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	E7D61B47941EB1F258FCAC9B7BC34D5B
SHA1:	6292DD0234B136531B186E1502F48010F930BCC8
SHA256:	D8C7BA1DF28EA38DB7FB7DF99FB028D090DEE27C750F017CA75F8E5BF4D83D73
SSDEEP:	98304:Px8gAghX50j4hbhcPC7UxXBUrNQbmOODVqGhTaiq/oyXaT6f/1NQywlCosuIqaMh:RGaLeVSN6EOMx7rB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2172)
- Stealers network behavior
  - svchost.exe (PID: 2172)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6212)
- Changes powershell execution policy (Bypass)
  - OpenWith.exe (PID: 6860)
- AMADEY has been detected (SURICATA)
  - explorer.exe (PID: 6476)
- Connects to the CnC server
  - explorer.exe (PID: 6476)
SUSPICIOUS
- Starts application with an unusual extension
  - Setup.exe (PID: 5064)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 5064)
  - OpenWith.exe (PID: 6860)
  - AutoIt3.exe (PID: 6936)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2172)
  - explorer.exe (PID: 6476)
- The process executes Powershell scripts
  - OpenWith.exe (PID: 6860)
- Node.exe was dropped
  - OpenWith.exe (PID: 6860)
- Starts POWERSHELL.EXE for commands execution
  - OpenWith.exe (PID: 6860)
- Connects to unusual port
  - MicrosoftEdgeUpdateCore.exe (PID: 7056)
INFO
- Manual execution by a user
  - WinRAR.exe (PID: 6100)
  - Setup.exe (PID: 5064)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6100)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:10:31 19:38:24
ZipCRC:	0x663361a6
ZipCompressedSize:	81265
ZipUncompressedSize:	225792
ZipFileName:	vclx120.bpl

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

512

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1084

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1500

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2172

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2380

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3580

C:\WINDOWS\SysWOW64\comp.exe

C:\Windows\SysWOW64\comp.exe

—

8Y82FKAG2RYGSX6OFYYIHG3XU6P3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

File Compare Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\comp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll

3944

C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\icacls.exe

—

nc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4316

C:\WINDOWS\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

More Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

5064

"C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\Setup.exe"

C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\Setup.exe

explorer.exe

User:

admin

Company:

iTop Inc.

Integrity Level:

MEDIUM

Description:

iTop Data Recovery

Exit code:

Version:

4.4.0.687

Modules

Images
c:\users\admin\desktop\!!!se-tup_2277_pa$word!#!\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

Add for printing

Total events

11 436

Read events

11 405

Write events

Delete events

Modification events


(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_0
Value: 4C000000730100000402000000000000F0F0F00000000000000000000000000000000000000000002202070000000000000000003B000000B402000000000000000000000000000001000000
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_1
Value: 4C000000730100000500000000000000F0F0F0000000000000000000000000000000000000000000DE0204000000000000000000180000002A00000000000000000000000000000002000000
(PID) Process:	(512) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_2
Value: 4C000000730100000400000000000000F0F0F00000000000000000000000000000000000000000001A0213000000000000000000180000006400000000000000000000000000000003000000
(PID) Process:	(6100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(6100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:
(PID) Process:	(6100) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	13
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\vclx120.bpl		executable
		MD5:7DAA2B7FE529B45101A399B5EBF0A416	SHA256:2BDF023C439010CE0A786EC75D943A80A8F01363712BBF69AFC29D3E2B5306ED
5064	Setup.exe	C:\Users\admin\AppData\Roaming\XSGATY\madbasic_.bpl		executable
		MD5:DC6655A38FFDC3C349F13828FC8EC36E	SHA256:16126FF5DAA3787A159CF4A39AA040B8050EBB66AB90DBB97C503110EF72824A
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\vcl120.bpl		bpl
		MD5:849070EBD34CBAEDC525599D6C3F8914	SHA256:B6F321A48812DC922B26953020C9A60949EC429A921033CFAF1E9F7D088EE628
5064	Setup.exe	C:\Users\admin\AppData\Roaming\XSGATY\datastate.dll		executable
		MD5:28F0CCF746F952F94FF434CA989B7814	SHA256:6010E2147A0F51A7BFA2F942A5A9EAAD9A294F463F717963B486ED3F53D305C2
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\datastate.dll		executable
		MD5:28F0CCF746F952F94FF434CA989B7814	SHA256:6010E2147A0F51A7BFA2F942A5A9EAAD9A294F463F717963B486ED3F53D305C2
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\maddisAsm_.bpl		executable
		MD5:84BC072F8EA30746F0982AFBDA3C638F	SHA256:52019F47F96CA868FA4E747C3B99CBA1B7AA57317BF8EBF9FCBF09AA576FE006
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\eyrfaq		binary
		MD5:67DF44A4CF87BE949ACABC7AC4E37427	SHA256:D8D0979CD453E1BAB91718E5E042A2070FC8C6279656C9DC09D1BDF073D62351
4316	more.com	C:\Users\admin\AppData\Local\Temp\ckk		—
		MD5:—	SHA256:—
5064	Setup.exe	C:\Users\admin\AppData\Roaming\XSGATY\madexcept_.bpl		executable
		MD5:477BA64B9C3F9892300275019F519F0D	SHA256:86972449429694F3D9C0970E2B55E7BF696056AFF70F7FC7981E620453737546
6100	WinRAR.exe	C:\Users\admin\Desktop\!!!Se-tUp_2277_Pa$Word!#!\madbasic_.bpl		executable
		MD5:DC6655A38FFDC3C349F13828FC8EC36E	SHA256:16126FF5DAA3787A159CF4A39AA040B8050EBB66AB90DBB97C503110EF72824A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5824	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5012	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5012	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4516	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6860	OpenWith.exe	GET	200	142.250.185.227:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
6476	explorer.exe	POST	200	172.67.213.173:80	http://moviecentral-petparade.com/g9jvjfd73/index.php	unknown	—	—	malicious
6476	explorer.exe	POST	200	172.67.213.173:80	http://moviecentral-petparade.com/g9jvjfd73/index.php	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1252	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.23.209.189:443	th.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6944	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
4360	SearchApp.exe	2.23.209.135:443	—	Akamai International B.V.	GB	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
login.live.com	20.190.159.2 40.126.31.69 20.190.159.64 20.190.159.23 40.126.31.73 40.126.31.67 20.190.159.68 20.190.159.0 20.190.159.73 20.190.159.71 20.190.159.4 40.126.31.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	2.23.209.189 2.23.209.182 2.23.209.130 2.23.209.177 2.23.209.187 2.23.209.133 2.23.209.185 2.23.209.179 2.23.209.193	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (creative-habitat .shop)
2172	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6860	OpenWith.exe	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (creative-habitat .shop)
6476	explorer.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6476	explorer.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

7 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

!!!Se-tUp_2277_Pa$Word!#!.zip

E7D61B47941EB1F258FCAC9B7BC34D5B

6292DD0234B136531B186E1502F48010F930BCC8

D8C7BA1DF28EA38DB7FB7DF99FB028D090DEE27C750F017CA75F8E5BF4D83D73

98304:Px8gAghX50j4hbhcPC7UxXBUrNQbmOODVqGhTaiq/oyXaT6f/1NQywlCosuIqaMh:RGaLeVSN6EOMx7rB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Stealers network behavior

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

AMADEY has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Starts application with an unusual extension

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

The process executes Powershell scripts

Node.exe was dropped

Starts POWERSHELL.EXE for commands execution

Connects to unusual port

INFO

Manual execution by a user

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings