Analysis
-
max time kernel
46s -
max time network
19s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-05-2024 09:29
Static task
static1
General
-
Target
MeltLaunchеr.exe
-
Size
350KB
-
MD5
b109aa9603e00150bc63d52e7a57d375
-
SHA1
7aeca5f397c98242f6726f0e7a79127daf7f0d58
-
SHA256
8158a96438c4c741bae0453392f1c93bc14cf4138222c3c57a30e15f36c32bc6
-
SHA512
f83c8452d514025a415646fafde373fa4a138b7d12c91d94181e5462ba365a6b6d2325bd3c1280c04b3b705ccda46731f4c1457af2e09ca0ceb4a9648ff60486
-
SSDEEP
6144:8bvqT/2F/shsIL2Ts4+q9GdpUkb6o8Rv226RQpvtBLasR:ey6dshsILas4+q9GdpUkwv7QKnas
Malware Config
Extracted
lumma
https://sessionannoucemenwj.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MeltLaunchеr.exedescription pid process target process PID 4948 set thread context of 312 4948 MeltLaunchеr.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 304 firefox.exe Token: SeDebugPrivilege 304 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 304 firefox.exe 304 firefox.exe 304 firefox.exe 304 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 304 firefox.exe 304 firefox.exe 304 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 304 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MeltLaunchеr.exefirefox.exefirefox.exedescription pid process target process PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4948 wrote to memory of 312 4948 MeltLaunchеr.exe RegAsm.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 4064 wrote to memory of 304 4064 firefox.exe firefox.exe PID 304 wrote to memory of 3892 304 firefox.exe firefox.exe PID 304 wrote to memory of 3892 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe PID 304 wrote to memory of 1348 304 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.0.1580583499\1743589867" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {213b5b78-0f79-4574-9c45-104525e423ee} 304 "\\.\pipe\gecko-crash-server-pipe.304" 1796 1c1627e5858 gpu3⤵PID:3892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.1.540369921\774799470" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5d83b3-f540-47bf-92f1-9801618d8953} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2152 1c1626fa858 socket3⤵PID:1348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.2.647060881\102250527" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9273ecbb-ae29-4760-8f30-8adb5a52bd0b} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2748 1c166ab7458 tab3⤵PID:2388
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.3.1696341633\1012454464" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d57b8b-421a-491a-aee6-2aa8c97ada93} 304 "\\.\pipe\gecko-crash-server-pipe.304" 3508 1c167787f58 tab3⤵PID:2844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.4.1798357933\460762681" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f96556e-349e-4c45-ad5c-bb5ec4f9195d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4232 1c1680c8b58 tab3⤵PID:4076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.5.562859688\1589461109" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0257b6-a09e-4dee-95c8-cd18064f08c5} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4804 1c168e5a558 tab3⤵PID:2896
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.6.1850512441\28587580" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adf5aa6-b7d0-4ea9-877b-1bab02dac85c} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4820 1c168e5a858 tab3⤵PID:3348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.7.1566404515\155744375" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0ce8ed-68a3-4319-8b3e-f2c5afb9763d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 5124 1c168e5b458 tab3⤵PID:2204
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD598aeb04c77b7f6cbc1c54e2551772922
SHA17565a71d4236e3c6c6342d83ca7de16db0c8d696
SHA256c1e356dc0bdb78f217cd3d36654eab96821d56097f4c23b4f2bd1f9e0b30715e
SHA512b629c720735bb30157f08a3690c35e2aad4912db4529009b94eec99bc210d2ee73488a39492891618d85d432c790a553710752c1df2698d3ebaa86cdb349416e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8d988898-95f2-40d1-97b6-6f081c2dec17
Filesize746B
MD5d42ba1e0a372ce4ca771a30046ad782b
SHA13b0e9707ad920e31fb9bff98467e30285f1d5593
SHA256f6f9ff7a44c4827c5a57511735fa8a31481323803b874018c5ee17035a50d1eb
SHA5128d9b95ae054dcd11ca7d68c38461c94a2966b650dd4dd8bf213834ed4424e33508c0a068b3b65ffae490b5fc1205841c5304b4ab15eaa53c7596dac225b96b3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\cffdccea-7ac1-4ad3-9dfb-90f8f24594a7
Filesize10KB
MD5c5780d5cbfdd179abb55ce5ff7f439bb
SHA1da71ada7dda5c30c7b0886ef7c4d5f102c3cf9cc
SHA256fcd7eeef6bace169fe47e8c5b8fdf1030090ab11359345cb0214ac4d3e38517f
SHA5120edac3f8156dc5abcd5359c4d0ad7f07d4fac790c06d19f652f408220ed8d5e159ce5c756ee2b46856ebffc5b0a9d7b833520aa7a1a478296596b4a1edb1ec3a
-
Filesize
6KB
MD554c817121b5a62d8a94e4ac8bf2747e3
SHA14373985b12ce6046b7326e97ebbefedcf67c0d88
SHA256f4c5e2f2cd634a30040ca3ade2feaa30365a62f091d017c9eefc5d38a17a61d3
SHA5127ceb4ceb6d75ea914876ce04f4226848af5b906bdd5bcfe574248908b5939cd8174b50dd044aaea4f3832e0c38570a8c79d474ed750ae0c3c4c68c2c78286489
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5964b6b0d15cbd82817aaf6b542b7ee7f
SHA1b45541c8fe202cdfa45ce9360711c043d3d46937
SHA256930424c95933b2b89a5b0734c136aff5893aace10eec62cbe862feb9879fb13d
SHA512a1f0fb367aa4ff1dc1830ac7d9794c0175f5b9c6b72cab2c01a07bd2fc5eab20ae003cbd422a957a6bdea5e595a118fcd938b82b5ee439f71ed7db9104556211
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53018d1aad8385b734068dbad441e344e
SHA12a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA5127ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0