Malware analysis f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe Malicious activity

Add for printing

File name:	f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe
Full analysis:	https://app.any.run/tasks/e4011c2c-190f-46b1-bc7f-d01a1580078c
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 13, 2024, 06:26:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer netsupport unwanted remote
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:	C059C2E1A13BA50F4C8D9DFFEA0F4E57
SHA1:	A647BDCEB38FA2D9DBF47F53DF35974AC85DB693
SHA256:	F5909740B346D19F04EDE46A33AE9F5E620A83D89E70CD9C15238B5D2934BFE9
SSDEEP:	98304:qO/w7rjK892tB2UNqzJGjUaOhAWDyTQslu8I9C5E7pN9XOCw2lZ+2DGEgKSZztiX:tN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA has been detected (SURICATA)
  - BitLockerToGo.exe (PID: 5620)
- Drops the executable file immediately after the start
  - f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe (PID: 2480)
  - powershell.exe (PID: 4500)
- Changes powershell execution policy (Bypass)
  - BitLockerToGo.exe (PID: 5620)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 4500)
- Actions looks like stealing of personal data
  - BitLockerToGo.exe (PID: 5620)
- NETSUPPORT has been detected (SURICATA)
  - client32.exe (PID: 6284)
- Connects to the CnC server
  - client32.exe (PID: 6284)
- Starts CMD.EXE for self-deleting
  - BitLockerToGo.exe (PID: 5620)
SUSPICIOUS
- Searches for installed software
  - BitLockerToGo.exe (PID: 5620)
- Starts POWERSHELL.EXE for commands execution
  - BitLockerToGo.exe (PID: 5620)
- The process executes Powershell scripts
  - BitLockerToGo.exe (PID: 5620)
- Process requests binary or script from the Internet
  - BitLockerToGo.exe (PID: 5620)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 4500)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4500)
- Process drops legitimate windows executable
  - powershell.exe (PID: 4500)
- Gets file extension (POWERSHELL)
  - powershell.exe (PID: 4500)
- The process drops C-runtime libraries
  - powershell.exe (PID: 4500)
- Reads security settings of Internet Explorer
  - client32.exe (PID: 6284)
- Potential Corporate Privacy Violation
  - client32.exe (PID: 6284)
- Contacting a server suspected of hosting an CnC
  - client32.exe (PID: 6284)
- Connects to the server without a host name
  - client32.exe (PID: 6284)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 4072)
- Starts CMD.EXE for commands execution
  - BitLockerToGo.exe (PID: 5620)
INFO
- Checks supported languages
  - f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe (PID: 2480)
  - BitLockerToGo.exe (PID: 5620)
  - client32.exe (PID: 6284)
- Reads the computer name
  - BitLockerToGo.exe (PID: 5620)
  - client32.exe (PID: 6284)
- Create files in a temporary directory
  - BitLockerToGo.exe (PID: 5620)
- Reads the software policy settings
  - BitLockerToGo.exe (PID: 5620)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 4500)
  - powershell.exe (PID: 4500)
- Drop NetSupport executable file
  - powershell.exe (PID: 4500)
- Reads Environment values
  - client32.exe (PID: 6284)
- The executable file from the user directory is run by the Powershell process
  - client32.exe (PID: 6284)
- Checks proxy server information
  - client32.exe (PID: 6284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.36
CodeSize:	6269952
InitializedDataSize:	17973760
UninitializedDataSize:	634368
EntryPoint:	0x14c0
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	0.13.2.0
ProductVersionNumber:	0.13.2.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	undergroundwires
FileDescription:	Enforce privacy & security best-practices on Windows, macOS and Linux, because privacy is sexy.
FileVersion:	0.13.2
LegalCopyright:	Copyright © 2024 undergroundwires
ProductName:	privacy.sexy
ProductVersion:	0.13.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2480

"C:\Users\admin\AppData\Local\Temp\f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe"

C:\Users\admin\AppData\Local\Temp\f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe

—

explorer.exe

User:

admin

Company:

undergroundwires

Integrity Level:

MEDIUM

Description:

Enforce privacy & security best-practices on Windows, macOS and Linux, because privacy is sexy.

Exit code:

666

Version:

0.13.2

Modules

Images
c:\users\admin\appdata\local\temp\f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll

4072

cmd.exe "start /min cmd.exe "/c timeout /t 3 /nobreak & del "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"""

C:\Windows\SysWOW64\cmd.exe

—

BitLockerToGo.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4500

powershell -exec bypass C:\Users\admin\AppData\Local\Temp\6KVAUPGV0NIX6FVCGRCL.ps1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

BitLockerToGo.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4720

timeout /t 3 /nobreak

C:\Windows\SysWOW64\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

timeout - pauses command processing

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

5428

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5620

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

BitLocker To Go Reader

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

5920

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6284

"C:\Users\admin\AppData\Roaming\WinDefeUI\client32.exe"

C:\Users\admin\AppData\Roaming\WinDefeUI\client32.exe

powershell.exe

User:

admin

Company:

NetSupport Ltd

Integrity Level:

MEDIUM

Description:

NetSupport Client Application

Version:

V11.10

Modules

Images
c:\users\admin\appdata\roaming\windefeui\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\windefeui\pcicl32.dll

6464

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft OneDriveFile Co-Authoring Executable

Exit code:

Version:

19.043.0304.0013

Modules

Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

Add for printing

Total events

15 652

Read events

15 386

Write events

266

Delete events

Modification events


(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-462
Value: Afghanistan Standard Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-461
Value: Afghanistan Daylight Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-222
Value: Alaskan Standard Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-221
Value: Alaskan Daylight Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-2392
Value: Aleutian Standard Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-2391
Value: Aleutian Daylight Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-2162
Value: Altai Standard Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-2161
Value: Altai Daylight Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-392
Value: Arab Standard Time
(PID) Process:	(2480) f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	C:\WINDOWS\system32\,@tzres.dll,-391
Value: Arab Daylight Time

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2480	f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	C:\Users\Public\Libraries\jjpac.scif		—
		MD5:—	SHA256:—
2480	f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe	C:\Users\Public\Libraries\nmkcp.scif		—
		MD5:—	SHA256:—
4500	powershell.exe	C:\Users\admin\AppData\Roaming\WinDefeUI\HTCTL32.DLL		executable
		MD5:2D3B207C8A48148296156E5725426C7F	SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
4500	powershell.exe	C:\Users\admin\AppData\Roaming\WinDefeUI\d3dx10_38.dll		executable
		MD5:A2650B27472C21CDD817EEEDE65648E1	SHA256:BF463B7EE2235F351309B5FD790F514ACF2B55A4A1F90222F7479024CC28FC34
4500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0bpjusap.vsb.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4500	powershell.exe	C:\Users\admin\AppData\Roaming\WinDefeUI\client32.ini		text
		MD5:620B015C1DFB298BEA7C762599F88555	SHA256:2F43CFB3B2394F37B75ADA139ABA93100B7FBBF6A2C56F3C2725322E93275A15
4500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c540ufi5.4st.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4500	powershell.exe	C:\Users\admin\AppData\Roaming\WinDefeUI\devobj.dll		executable
		MD5:FCAE663A46439EF6CF4A21E3B6BBE260	SHA256:8E0BEDE11043DB849F966421B24D4F099A5FA470169AF97A2D59BDA41ED35DA8
4500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cazcqq5u.hs3.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wr0iv5sg.n4w.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5228	svchost.exe	GET	200	92.123.77.26:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5940	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
1944	SIHClient.exe	GET	200	184.29.17.216:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
1944	SIHClient.exe	GET	200	184.29.17.216:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
4960	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
6284	client32.exe	GET	404	104.26.0.231:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	unknown
6284	client32.exe	GET	404	104.26.0.231:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	unknown
6284	client32.exe	GET	404	104.26.0.231:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	unknown
6284	client32.exe	POST	200	77.238.240.61:443	http://77.238.240.61/fakeurl.htm	unknown	—	—	unknown
2908	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
528	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5228	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5228	svchost.exe	92.123.77.26:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5228	svchost.exe	184.29.17.216:80	www.microsoft.com	AKAMAI-AS	TH	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5140	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	92.123.77.26 2.19.194.200	whitelisted
www.microsoft.com	184.29.17.216	whitelisted
www.bing.com	104.110.240.113 104.110.240.131 104.110.240.112 104.110.240.91 104.110.240.155	whitelisted
r.bing.com	104.110.240.91 104.110.240.113 104.110.240.131 104.110.240.155 104.110.240.112	whitelisted
login.live.com	40.126.32.134 40.126.32.68 20.190.160.14 40.126.32.133 20.190.160.22 40.126.32.76 20.190.160.20 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	184.29.45.142	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted

Threats

PID	Process	Class	Message
5620	BitLockerToGo.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
5620	BitLockerToGo.exe	Potentially Bad Traffic	ET INFO PS1 Powershell File Request
6284	client32.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6284	client32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6284	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6284	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Response
6284	client32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6284	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6284	client32.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6284	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Response

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

f5909740b346d19f04ede46a33ae9f5e620a83d89e70cd9c15238b5d2934bfe9.exe

C059C2E1A13BA50F4C8D9DFFEA0F4E57

A647BDCEB38FA2D9DBF47F53DF35974AC85DB693

F5909740B346D19F04EDE46A33AE9F5E620A83D89E70CD9C15238B5D2934BFE9

98304:qO/w7rjK892tB2UNqzJGjUaOhAWDyTQslu8I9C5E7pN9XOCw2lZ+2DGEgKSZztiX:tN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Drops the executable file immediately after the start

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Actions looks like stealing of personal data

NETSUPPORT has been detected (SURICATA)

Connects to the CnC server

Starts CMD.EXE for self-deleting

SUSPICIOUS

Searches for installed software

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Process requests binary or script from the Internet

Gets or sets the security protocol (POWERSHELL)

Executable content was dropped or overwritten

Process drops legitimate windows executable

Gets file extension (POWERSHELL)

The process drops C-runtime libraries

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Uses TIMEOUT.EXE to delay execution

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Checks whether the specified file exists (POWERSHELL)

Drop NetSupport executable file

Reads Environment values

The executable file from the user directory is run by the Powershell process

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests