Overview

overview

7

Static

static

7

CrosshairE...ya.dll

windows7-x64

1

CrosshairE...ya.dll

windows10-2004-x64

1

CrosshairE...hl.exe

windows7-x64

7

CrosshairE...hl.exe

windows10-2004-x64

7

CrosshairE...hd.ini

windows7-x64

1

CrosshairE...hd.ini

windows10-2004-x64

1

Resubmissions

20-07-2023 03:52

230720-ee6w9scf62 7

Analysis

  • max time kernel
    113s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrosshairEditor/Freya.dll

  • Size

    281KB

  • MD5

    d5fef36a5ad0e809aad6b7cbe19d1062

  • SHA1

    5adf39cfe296acd1e62618155f1e2ed68ea452df

  • SHA256

    8cd822ca2dd0d9e3f298fb42f5c95ab6ef7ed71b68bfe4ac9e2fdb795760d1fe

  • SHA512

    7c9580d9929c1b4c8f90109808a236113543e41ea3709da9a041c6802666cf18e2e2a827e951267f0fc497605f44bf83e2f5c9824f66917f1a2b0994a6cd8b90

  • SSDEEP

    6144:+3nUjhnjy3aPg+ZQLM7KUAOFLjKjuUjB0r3T+fMMMMMMMMMMMMMMV7MMMMxliqyJ:1CYtQLMwFjuUN43T+fMMMMMMMMMMMMMP

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrosshairEditor\Freya.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrosshairEditor\Freya.dll,#1
      2⤵
        PID:4200
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.0.1570749582\1744505049" -parentBuildID 20221007134813 -prefsHandle 1928 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d9a89f-8e5f-4ac3-8c24-fa57a04916f7} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2008 2604d7d7b58 gpu
          3⤵
            PID:2124
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.1.255636507\2132814681" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {151a40a6-6c14-45fd-9f73-8007699e0862} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2408 26040c6e258 socket
            3⤵
              PID:2040
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.2.2121856075\1621375248" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3020 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df35a61-6b00-4352-b0af-7bac09680683} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 3000 260517adb58 tab
              3⤵
                PID:4904
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.3.529198931\449740977" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9c7296f-6769-42d4-8aa4-d124a90ac7f0} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 3616 26040c64d58 tab
                3⤵
                  PID:3756
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.4.809990125\951906568" -childID 3 -isForBrowser -prefsHandle 4488 -prefMapHandle 3604 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fdad418-9919-497d-a1e0-e3c3bacd7791} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 4496 26052c25258 tab
                  3⤵
                    PID:4476
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.7.770451040\991018138" -childID 6 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {049cf41f-b2cd-4d18-a401-4a95c61a9de6} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5372 26053ab3658 tab
                    3⤵
                      PID:3156
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.6.43442715\462005465" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df134bab-fc13-4e61-b0ab-ae196550cf6c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5164 26053ab4258 tab
                      3⤵
                        PID:2840
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.5.1926253058\1042400056" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5060 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39fa70bd-837f-466d-a967-912586ab63f1} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5100 26053ab3358 tab
                        3⤵
                          PID:4108
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.8.1812206741\1294666986" -childID 7 -isForBrowser -prefsHandle 5904 -prefMapHandle 5852 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e789becd-057a-4b6f-98ac-f23134149013} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5384 260557e2558 tab
                          3⤵
                            PID:5716
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.9.1092227220\1743235210" -childID 8 -isForBrowser -prefsHandle 5136 -prefMapHandle 4524 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f44bcac-c330-45da-ab1f-74b625414072} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 4980 26056515058 tab
                            3⤵
                              PID:5912
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.10.1694906446\313910379" -childID 9 -isForBrowser -prefsHandle 6224 -prefMapHandle 4992 -prefsLen 27017 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2c71c2-a28c-4611-a355-3fafc3ed0f29} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 6236 2604fec2b58 tab
                              3⤵
                                PID:6020

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            149KB

                            MD5

                            1bf7e06798a6c3a638c6b8e79ff5f7aa

                            SHA1

                            098fd8b4865405db73d67d107cabc66080692bb8

                            SHA256

                            fe7c94f1415ad791413a70ae2cae3d14677076f166ad0ae31a81cdaaded72d81

                            SHA512

                            8b20340957b441f16df42326dc2abac62b3af7b90182d38eff9689bde51608664d60636b4738115e058680a92fd279f100bf95c71adf74c9bc2937bb6b3e4230

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            a316c582aec540c5cabd53c9fd930446

                            SHA1

                            f827f862e5f3bdf6df6ece6a62a31ebddc588553

                            SHA256

                            18b3fd236cc991b58d43d35d8874610b0f7ece6f4203448b69b15f998e0baf51

                            SHA512

                            034d22170c15af2801af3d565238b0baab775b6cc16f67ab2597a93d6fb9f98874be078f9435c8282f36da561a00a20a159499609da818b51e814d2675f45c12

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            0daad7ee436864789e769b7e64c431fe

                            SHA1

                            70eaca28fd4f2e3823a6f319d1068ddc9352df29

                            SHA256

                            a9d47d44dde57f667e01e73f52c34ce3b1a55a683b88354a46b244a60269b9e1

                            SHA512

                            41bf52461213d08e5bbf33aa2a1a207e6f0fdadf70f80394a64415e1fcd71e8ba6756a3bb638329f37a03f05f0b96f5261550a85b270d61fd37a52072fecefe6

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            860ce505c466340ae994a8f151cd7e5f

                            SHA1

                            2480db0bce23ee2ae5ced13a728f822c4cdcf157

                            SHA256

                            449660868372223e23b893affe86f7577dda4950b1c7a43bec1055214f289d12

                            SHA512

                            6596b6eeb4698b233ecd9df3d208edca1705eabca6f8a1c32bfb9db4ac454b7cb6f2f92d85764e17707c3f8e8eb713a72c4d10e96848a7d147a2bc6e9ee1c315

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js
                            Filesize

                            7KB

                            MD5

                            12ca45f57a6d6075d356dd63534137ca

                            SHA1

                            74431724fa5f442abab936a78776d0daa1c02866

                            SHA256

                            8e6c1a0a1bdd62f4ff6f50d62dff0cd7c9d670e533da392c81de833e97a6213f

                            SHA512

                            fc8990cac46b4eda078988dd2bc210df959344826a383d02846c4bc9a6faf0c4311e2b5d067712b63f3126f8206d03570ad1fe8bf8c1349b4363c5d1a688b9e4

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            5d7bc15475e6d465bcad00f9946ca497

                            SHA1

                            de24efa52d512f6b0fb9173e9b49a2463704f0b2

                            SHA256

                            0ee3be8852ca0aa0cef1483748942a8c0cc9121470c139667612c29c9bf0c532

                            SHA512

                            8af684061beb12c8fe5237d29c782d0674c959499c4078f968d48090714c41f6093f3a29cc9922c7f2b81bbebd74def3edd98c7c12632fc7a075b610edf1c8fa

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            34d17ce4c1e0d0386e301d0b75839b89

                            SHA1

                            7fbf99761d5e9f2fbe4108976f0b1a204547c090

                            SHA256

                            77c6814f6868568e65629486b1554d436b1d702b6b7718db558d756f83432d3f

                            SHA512

                            5ddd063ec82185ddfaed9b7670bde06deec9ef0cb34e1d4164c7a11ef45764b174ef1ba1c3b89a4cacc0b2d1c1e8a453edb993c3afd35981a3d84478e3db440e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            4062544ffc27bfef4edec92a7e08a2d9

                            SHA1

                            ff46892680074aba66deedba1e24fab8757ad311

                            SHA256

                            370e16c43c9172e563c83f5fa8f61b58a092fb3a76cab6eb0a036f6cb00cca0f

                            SHA512

                            4abf4a6f0b4e90ff672c5287d0b50e4c37d2129eea4ffb8a98a03d7a5e7e618578d5ed508afd5a95cd604de86b8405ddfe1189c5003bb1c4ce687fd7ed8a6df8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            6KB

                            MD5

                            5cb9a41af9d6115c209459dbce54de6b

                            SHA1

                            482df800acb42631976e5f67721f3a2dc885a083

                            SHA256

                            47420f1f19962e5ee52ca0afc83483cff805dfc88e4c33515d44e39034bafec2

                            SHA512

                            2e7a047eeed60374fa88dd3a3a7b87c5d8206b6dcef17ab9d0130089ca2a08d078f5843a74b0228fbf1df17799e21228b6a924f1c14e19ce03580f46672c0d0b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            7KB

                            MD5

                            df6fda37fd2918ffe74ee566d0df96b0

                            SHA1

                            2b440c8f976a9b8d9a234a803d4ee74a162b3b4b

                            SHA256

                            4eec417731db1673bc42c301be96a4344c906f930dc6ca3dce74b493d5fbba09

                            SHA512

                            48273aa568ba5fa6e887d83001be2f1ccb4ffde2339bba9af19d353f7f2adaba63ef40ca5b270f71be3fb87c76da4f936fb3b03c5f88dcf99beff52ab84a92ef

                            Download Submit

                          • C:\Users\Admin\Downloads\Counter-Strike-1.VKfYVIbc.6-original.exe.part
                            Filesize

                            32KB

                            MD5

                            9278e02b635ea5c76dc9cfb1c114e998

                            SHA1

                            7361ed1b882013e781a4dce349fe6fb36ad767f1

                            SHA256

                            f8e3b659845997a6c50b84bd74f23b4133c1903161fd4fa3b7c9b6b5ad87bc95

                            SHA512

                            650eeea378ea869f4b53b53818e75d659681e04ddb087fb7c68adbc5cd3f47da54400bb0c0dfd1a3ee13b7707df473fb86b6379fd725c35d083232e148805445

                            Download Submit