Analysis

  • max time kernel
    46s
  • max time network
    19s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-05-2024 09:29

General

  • Target

    MeltLaunchеr.exe

  • Size

    350KB

  • MD5

    b109aa9603e00150bc63d52e7a57d375

  • SHA1

    7aeca5f397c98242f6726f0e7a79127daf7f0d58

  • SHA256

    8158a96438c4c741bae0453392f1c93bc14cf4138222c3c57a30e15f36c32bc6

  • SHA512

    f83c8452d514025a415646fafde373fa4a138b7d12c91d94181e5462ba365a6b6d2325bd3c1280c04b3b705ccda46731f4c1457af2e09ca0ceb4a9648ff60486

  • SSDEEP

    6144:8bvqT/2F/shsIL2Ts4+q9GdpUkb6o8Rv226RQpvtBLasR:ey6dshsILas4+q9GdpUkwv7QKnas

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://sessionannoucemenwj.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe
    "C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:312
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:304
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.0.1580583499\1743589867" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {213b5b78-0f79-4574-9c45-104525e423ee} 304 "\\.\pipe\gecko-crash-server-pipe.304" 1796 1c1627e5858 gpu
          3⤵
            PID:3892
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.1.540369921\774799470" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5d83b3-f540-47bf-92f1-9801618d8953} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2152 1c1626fa858 socket
            3⤵
              PID:1348
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.2.647060881\102250527" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9273ecbb-ae29-4760-8f30-8adb5a52bd0b} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2748 1c166ab7458 tab
              3⤵
                PID:2388
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.3.1696341633\1012454464" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d57b8b-421a-491a-aee6-2aa8c97ada93} 304 "\\.\pipe\gecko-crash-server-pipe.304" 3508 1c167787f58 tab
                3⤵
                  PID:2844
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.4.1798357933\460762681" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f96556e-349e-4c45-ad5c-bb5ec4f9195d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4232 1c1680c8b58 tab
                  3⤵
                    PID:4076
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.5.562859688\1589461109" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0257b6-a09e-4dee-95c8-cd18064f08c5} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4804 1c168e5a558 tab
                    3⤵
                      PID:2896
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.6.1850512441\28587580" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adf5aa6-b7d0-4ea9-877b-1bab02dac85c} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4820 1c168e5a858 tab
                      3⤵
                        PID:3348
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.7.1566404515\155744375" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0ce8ed-68a3-4319-8b3e-f2c5afb9763d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 5124 1c168e5b458 tab
                        3⤵
                          PID:2204

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

                      Filesize

                      2KB

                      MD5

                      98aeb04c77b7f6cbc1c54e2551772922

                      SHA1

                      7565a71d4236e3c6c6342d83ca7de16db0c8d696

                      SHA256

                      c1e356dc0bdb78f217cd3d36654eab96821d56097f4c23b4f2bd1f9e0b30715e

                      SHA512

                      b629c720735bb30157f08a3690c35e2aad4912db4529009b94eec99bc210d2ee73488a39492891618d85d432c790a553710752c1df2698d3ebaa86cdb349416e

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8d988898-95f2-40d1-97b6-6f081c2dec17

                      Filesize

                      746B

                      MD5

                      d42ba1e0a372ce4ca771a30046ad782b

                      SHA1

                      3b0e9707ad920e31fb9bff98467e30285f1d5593

                      SHA256

                      f6f9ff7a44c4827c5a57511735fa8a31481323803b874018c5ee17035a50d1eb

                      SHA512

                      8d9b95ae054dcd11ca7d68c38461c94a2966b650dd4dd8bf213834ed4424e33508c0a068b3b65ffae490b5fc1205841c5304b4ab15eaa53c7596dac225b96b3e

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\cffdccea-7ac1-4ad3-9dfb-90f8f24594a7

                      Filesize

                      10KB

                      MD5

                      c5780d5cbfdd179abb55ce5ff7f439bb

                      SHA1

                      da71ada7dda5c30c7b0886ef7c4d5f102c3cf9cc

                      SHA256

                      fcd7eeef6bace169fe47e8c5b8fdf1030090ab11359345cb0214ac4d3e38517f

                      SHA512

                      0edac3f8156dc5abcd5359c4d0ad7f07d4fac790c06d19f652f408220ed8d5e159ce5c756ee2b46856ebffc5b0a9d7b833520aa7a1a478296596b4a1edb1ec3a

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

                      Filesize

                      6KB

                      MD5

                      54c817121b5a62d8a94e4ac8bf2747e3

                      SHA1

                      4373985b12ce6046b7326e97ebbefedcf67c0d88

                      SHA256

                      f4c5e2f2cd634a30040ca3ade2feaa30365a62f091d017c9eefc5d38a17a61d3

                      SHA512

                      7ceb4ceb6d75ea914876ce04f4226848af5b906bdd5bcfe574248908b5939cd8174b50dd044aaea4f3832e0c38570a8c79d474ed750ae0c3c4c68c2c78286489

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      1KB

                      MD5

                      964b6b0d15cbd82817aaf6b542b7ee7f

                      SHA1

                      b45541c8fe202cdfa45ce9360711c043d3d46937

                      SHA256

                      930424c95933b2b89a5b0734c136aff5893aace10eec62cbe862feb9879fb13d

                      SHA512

                      a1f0fb367aa4ff1dc1830ac7d9794c0175f5b9c6b72cab2c01a07bd2fc5eab20ae003cbd422a957a6bdea5e595a118fcd938b82b5ee439f71ed7db9104556211

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                      Filesize

                      184KB

                      MD5

                      3018d1aad8385b734068dbad441e344e

                      SHA1

                      2a3925bc92ec843db64b6db2cd6fe18ccf084a86

                      SHA256

                      f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88

                      SHA512

                      7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

                    • memory/312-8-0x0000000000400000-0x000000000044A000-memory.dmp

                      Filesize

                      296KB

                    • memory/312-10-0x0000000001070000-0x0000000001071000-memory.dmp

                      Filesize

                      4KB

                    • memory/312-11-0x0000000000400000-0x000000000044A000-memory.dmp

                      Filesize

                      296KB

                    • memory/312-4-0x0000000000400000-0x000000000044A000-memory.dmp

                      Filesize

                      296KB

                    • memory/4948-9-0x0000000072FC0000-0x00000000736AE000-memory.dmp

                      Filesize

                      6.9MB

                    • memory/4948-0-0x0000000072FCE000-0x0000000072FCF000-memory.dmp

                      Filesize

                      4KB

                    • memory/4948-98-0x0000000072FC0000-0x00000000736AE000-memory.dmp

                      Filesize

                      6.9MB

                    • memory/4948-1-0x0000000000D30000-0x0000000000D8E000-memory.dmp

                      Filesize

                      376KB