Analysis Overview
SHA256
8158a96438c4c741bae0453392f1c93bc14cf4138222c3c57a30e15f36c32bc6
Threat Level: Known bad
The file MeltLaunchеr.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 09:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 09:29
Reported
2024-05-25 09:29
Platform
win10-20240404-en
Max time kernel
46s
Max time network
19s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4948 set thread context of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe
"C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.0.1580583499\1743589867" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {213b5b78-0f79-4574-9c45-104525e423ee} 304 "\\.\pipe\gecko-crash-server-pipe.304" 1796 1c1627e5858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.1.540369921\774799470" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5d83b3-f540-47bf-92f1-9801618d8953} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2152 1c1626fa858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.2.647060881\102250527" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9273ecbb-ae29-4760-8f30-8adb5a52bd0b} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2748 1c166ab7458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.3.1696341633\1012454464" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d57b8b-421a-491a-aee6-2aa8c97ada93} 304 "\\.\pipe\gecko-crash-server-pipe.304" 3508 1c167787f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.4.1798357933\460762681" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f96556e-349e-4c45-ad5c-bb5ec4f9195d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4232 1c1680c8b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.5.562859688\1589461109" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0257b6-a09e-4dee-95c8-cd18064f08c5} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4804 1c168e5a558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.6.1850512441\28587580" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adf5aa6-b7d0-4ea9-877b-1bab02dac85c} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4820 1c168e5a858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.7.1566404515\155744375" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0ce8ed-68a3-4319-8b3e-f2c5afb9763d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 5124 1c168e5b458 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sessionannoucemenwj.shop | udp |
| US | 172.67.139.3:443 | sessionannoucemenwj.shop | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 8.8.8.8:53 | relevantvoicelesskw.shop | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 8.8.8.8:53 | 3.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 35.164.250.149:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:49771 | tcp | |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.250.164.35.in-addr.arpa | udp |
| N/A | 127.0.0.1:49777 | tcp |
Files
memory/4948-0-0x0000000072FCE000-0x0000000072FCF000-memory.dmp
memory/4948-1-0x0000000000D30000-0x0000000000D8E000-memory.dmp
memory/312-4-0x0000000000400000-0x000000000044A000-memory.dmp
memory/312-8-0x0000000000400000-0x000000000044A000-memory.dmp
memory/312-11-0x0000000000400000-0x000000000044A000-memory.dmp
memory/312-10-0x0000000001070000-0x0000000001071000-memory.dmp
memory/4948-9-0x0000000072FC0000-0x00000000736AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 98aeb04c77b7f6cbc1c54e2551772922 |
| SHA1 | 7565a71d4236e3c6c6342d83ca7de16db0c8d696 |
| SHA256 | c1e356dc0bdb78f217cd3d36654eab96821d56097f4c23b4f2bd1f9e0b30715e |
| SHA512 | b629c720735bb30157f08a3690c35e2aad4912db4529009b94eec99bc210d2ee73488a39492891618d85d432c790a553710752c1df2698d3ebaa86cdb349416e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8d988898-95f2-40d1-97b6-6f081c2dec17
| MD5 | d42ba1e0a372ce4ca771a30046ad782b |
| SHA1 | 3b0e9707ad920e31fb9bff98467e30285f1d5593 |
| SHA256 | f6f9ff7a44c4827c5a57511735fa8a31481323803b874018c5ee17035a50d1eb |
| SHA512 | 8d9b95ae054dcd11ca7d68c38461c94a2966b650dd4dd8bf213834ed4424e33508c0a068b3b65ffae490b5fc1205841c5304b4ab15eaa53c7596dac225b96b3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\cffdccea-7ac1-4ad3-9dfb-90f8f24594a7
| MD5 | c5780d5cbfdd179abb55ce5ff7f439bb |
| SHA1 | da71ada7dda5c30c7b0886ef7c4d5f102c3cf9cc |
| SHA256 | fcd7eeef6bace169fe47e8c5b8fdf1030090ab11359345cb0214ac4d3e38517f |
| SHA512 | 0edac3f8156dc5abcd5359c4d0ad7f07d4fac790c06d19f652f408220ed8d5e159ce5c756ee2b46856ebffc5b0a9d7b833520aa7a1a478296596b4a1edb1ec3a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 3018d1aad8385b734068dbad441e344e |
| SHA1 | 2a3925bc92ec843db64b6db2cd6fe18ccf084a86 |
| SHA256 | f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88 |
| SHA512 | 7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
| MD5 | 54c817121b5a62d8a94e4ac8bf2747e3 |
| SHA1 | 4373985b12ce6046b7326e97ebbefedcf67c0d88 |
| SHA256 | f4c5e2f2cd634a30040ca3ade2feaa30365a62f091d017c9eefc5d38a17a61d3 |
| SHA512 | 7ceb4ceb6d75ea914876ce04f4226848af5b906bdd5bcfe574248908b5939cd8174b50dd044aaea4f3832e0c38570a8c79d474ed750ae0c3c4c68c2c78286489 |
memory/4948-98-0x0000000072FC0000-0x00000000736AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 964b6b0d15cbd82817aaf6b542b7ee7f |
| SHA1 | b45541c8fe202cdfa45ce9360711c043d3d46937 |
| SHA256 | 930424c95933b2b89a5b0734c136aff5893aace10eec62cbe862feb9879fb13d |
| SHA512 | a1f0fb367aa4ff1dc1830ac7d9794c0175f5b9c6b72cab2c01a07bd2fc5eab20ae003cbd422a957a6bdea5e595a118fcd938b82b5ee439f71ed7db9104556211 |