Overview

overview

10

Static

static

3

Crosshair-...er.rar

windows11-21h2-x64

10

Crosshair-...-X.exe

windows11-21h2-x64

10

Crosshair-...get.js

windows11-21h2-x64

3

Crosshair-...get.js

windows11-21h2-x64

3

Crosshair-...c.lock

windows11-21h2-x64

3

Crosshair-...c.yaml

windows11-21h2-x64

3

Crosshair-...t.dart

windows11-21h2-x64

3

Crosshair-...on.png

windows11-21h2-x64

3

Crosshair-...92.png

windows11-21h2-x64

3

Crosshair-...12.png

windows11-21h2-x64

3

Crosshair-...92.png

windows11-21h2-x64

3

Crosshair-...12.png

windows11-21h2-x64

3

Crosshair-...x.html

windows11-21h2-x64

1

Crosshair-...t.json

windows11-21h2-x64

3

Crosshair-...ignore

windows11-21h2-x64

3

Crosshair-...ts.txt

windows11-21h2-x64

3

Crosshair-...ts.txt

windows11-21h2-x64

3

Crosshair-...ant.cc

windows11-21h2-x64

3

Crosshair-...rant.h

windows11-21h2-x64

3

Crosshair-....cmake

windows11-21h2-x64

3

Crosshair-...ts.txt

windows11-21h2-x64

3

Crosshair-...ner.rc

windows11-21h2-x64

3

Crosshair-...ow.cpp

windows11-21h2-x64

3

Crosshair-...ndow.h

windows11-21h2-x64

3

Crosshair-...in.cpp

windows11-21h2-x64

3

Crosshair-...urce.h

windows11-21h2-x64

3

Crosshair-...on.ico

windows11-21h2-x64

3

Crosshair-...xe.xml

windows11-21h2-x64

1

Crosshair-...ls.cpp

windows11-21h2-x64

3

Crosshair-...tils.h

windows11-21h2-x64

3

Crosshair-...ow.cpp

windows11-21h2-x64

3

Crosshair-...ndow.h

windows11-21h2-x64

3

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-de
  • resource tags

    arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
  • submitted
    06-12-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Crosshair-X-Crack-master.rar

  • Size

    491KB

  • MD5

    fe4f2896d92f18823b966ebabfd970de

  • SHA1

    609180eecc4bb86d4055b121d7d10ea4e7c17a47

  • SHA256

    9504fbdc366ff1c3d41b463c5cd8d87fbf5eef9755a578ceb90ce18c3f751986

  • SHA512

    51659e089eb4de76dddb51f44518df8786073a3af39ccaf1dd0172e9bcb5494b9f4f9cf1c43702d15016d57f4f3ae2b6efc7e90a717218e7801c82cb6a5b7626

  • SSDEEP

    12288:0NUp+mgaDSKI7j6oDomBXhxyHVyUMm7RkQEhmV/04XB:0C7gCInbU7wUF72mR7B

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Crosshair-X-Crack-master.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:952
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1664
    • C:\Users\Admin\Crosshair-X.exe
      "C:\Users\Admin\Crosshair-X.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Users\Admin\Crosshair-X.exe
        "C:\Users\Admin\Crosshair-X.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1348
          3⤵
          • Program crash
          PID:1456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1332
          3⤵
          • Program crash
          PID:1464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408
      1⤵
        PID:1100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4408 -ip 4408
        1⤵
          PID:4724
        • C:\Users\Admin\Crosshair-X.exe
          "C:\Users\Admin\Crosshair-X.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Users\Admin\Crosshair-X.exe
            "C:\Users\Admin\Crosshair-X.exe"
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4808
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1328
              3⤵
              • Program crash
              PID:4672
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1152
              3⤵
              • Program crash
              PID:1812
        • C:\Users\Admin\Crosshair-X.exe
          "C:\Users\Admin\Crosshair-X.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Users\Admin\Crosshair-X.exe
            "C:\Users\Admin\Crosshair-X.exe"
            2⤵
            • Executes dropped EXE
            PID:1856
          • C:\Users\Admin\Crosshair-X.exe
            "C:\Users\Admin\Crosshair-X.exe"
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4624
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1348
              3⤵
              • Program crash
              PID:3216
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1368
              3⤵
              • Program crash
              PID:276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4808 -ip 4808
          1⤵
            PID:4680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4808 -ip 4808
            1⤵
              PID:1532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4624 -ip 4624
              1⤵
                PID:2584
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4624 -ip 4624
                1⤵
                  PID:2164
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                  1⤵
                    PID:4480

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\Crosshair-X.exe
                    Filesize

                    20.5MB

                    MD5

                    e44b4dfe614da54a395c203d58f2f489

                    SHA1

                    1f05ca23000ec626ce32041b3ae3baec2c6fa248

                    SHA256

                    240db8852efca1ff49dedfe045796def881458b74e09c2ab4a5f588bf66c25d0

                    SHA512

                    b852aaf7d63ee6f665331f7b1ba78d0ec9e9208e0e7840263c67d6579b1aa552dddb1ed52335cfa843f5f9a3947fa8642852c49eda47e3f6a89746c9e5323fff

                    Download Submit

                  • memory/2376-140-0x0000000001023000-0x0000000001024000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4408-141-0x0000000000400000-0x0000000000452000-memory.dmp

                    Filesize

                    328KB

                    Download

                  • memory/4408-145-0x0000000000FF0000-0x0000000001071000-memory.dmp

                    Filesize

                    516KB

                    Download

                  • memory/4408-144-0x0000000000400000-0x0000000000452000-memory.dmp

                    Filesize

                    328KB

                    Download