080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66

General

Target

reshacker_setup.exe
Size

4.0MB
MD5

e846ef7353af351ad4a6e1d49638b500
SHA1

c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256

080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512

e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
SSDEEP

98304:HEnF3qBlk/aDK9b0SVtlOMKTNdSLUHBrICc:y3KkyDgQSVKMKTeIHA

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

reshacker_setup.tmpResourceHacker.exe

pid process

1256 reshacker_setup.tmp
3728 ResourceHacker.exe

pid	process
1256	reshacker_setup.tmp
3728	ResourceHacker.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reshacker_setup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	reshacker_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 25 IoCs

Processes:

ResourceHacker.exereshacker_setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Resource Hacker\ResourceHacker.ini	ResourceHacker.exe
File opened for modification	C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-SFGVP.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-FPOR7.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-2I2RE.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-QQDVC.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-LDVC5.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-TV6LV.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-BRUKA.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-QM9ML.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-JRUKL.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-2OTVM.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-MQ7OF.tmp	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\ResourceHacker.ini	ResourceHacker.exe
File created	C:\Program Files (x86)\Resource Hacker\help\is-72GK9.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-74AK7.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-RR9AI.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-CAKG9.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-H7213.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-3BT31.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-M1VE8.tmp	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\unins000.dat	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\samples\sample2.dll	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\unins000.dat	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-GA5U2.tmp	reshacker_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 40 IoCs

Processes:

ResourceHacker.exereshacker_setup.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ResourceHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 98003100000000003755fa45110050524f4752417e320000800009000400efbe874fdb493755fa452e000000c3040000000001000000000000000000560000000000f7922200500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	reshacker_setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 68003100000000003755fb4510005245534f55527e310000500009000400efbe3755fa453755fc452e000000c29d0000000006000000000000000000000000000000ed5800015200650073006f00750072006300650020004800610063006b0065007200000018000000	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ResourceHacker.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ResourceHacker.exe

pid process

3728 ResourceHacker.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

reshacker_setup.tmp

pid process

1256 reshacker_setup.tmp
1256 reshacker_setup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

reshacker_setup.tmp

pid process

1256 reshacker_setup.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ResourceHacker.exe

pid process

3728 ResourceHacker.exe

pid	process
3728	ResourceHacker.exe

pid	process
1256	reshacker_setup.tmp
1256	reshacker_setup.tmp

pid	process
1256	reshacker_setup.tmp

pid	process
3728	ResourceHacker.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

reshacker_setup.exereshacker_setup.tmp

description	pid	process	target process
PID 1700 wrote to memory of 1256	1700	reshacker_setup.exe	reshacker_setup.tmp
PID 1700 wrote to memory of 1256	1700	reshacker_setup.exe	reshacker_setup.tmp
PID 1700 wrote to memory of 1256	1700	reshacker_setup.exe	reshacker_setup.tmp
PID 1256 wrote to memory of 240	1256	reshacker_setup.tmp	NOTEPAD.EXE
PID 1256 wrote to memory of 240	1256	reshacker_setup.tmp	NOTEPAD.EXE
PID 1256 wrote to memory of 240	1256	reshacker_setup.tmp	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe
"C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\is-092NF.tmp\reshacker_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-092NF.tmp\reshacker_setup.tmp" /SL5="$701F2,3411549,870400,C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt
3⤵
PID:240

C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
"C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Resource Hacker\ReadMe.txt
Filesize
1KB

MD5
eee9717c2fd4f926c23b6fbbd7174be5

SHA1
1596921b80753e25dacff3499a8ecd3e81e6d7c9

SHA256
afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203

SHA512
778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a

Download Submit
C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
Filesize
5.4MB

MD5
b406ef352a5e5260f179e7abd2feb846

SHA1
faabfd4a58775a9c2240bb07a48b7451506fd984

SHA256
4ab1a1035588f0c99b00e39d87ef9a0d940437a05802f0e75956ab65149133be

SHA512
bd10dd1d21dde7ddc77e91a5bc769797fe7388168f71225afac337b9aabb41b362cb6abcac1eac545ad2ec36686b48f6fe52c4036e27f903939e9a73fad6be1b

Download Submit
C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
Filesize
5.4MB

MD5
b406ef352a5e5260f179e7abd2feb846

SHA1
faabfd4a58775a9c2240bb07a48b7451506fd984

SHA256
4ab1a1035588f0c99b00e39d87ef9a0d940437a05802f0e75956ab65149133be

SHA512
bd10dd1d21dde7ddc77e91a5bc769797fe7388168f71225afac337b9aabb41b362cb6abcac1eac545ad2ec36686b48f6fe52c4036e27f903939e9a73fad6be1b

Download Submit
C:\Program Files (x86)\Resource Hacker\unins000.exe
Filesize
2.6MB

MD5
aa50fbaf52e0b04527cc6361d5473d90

SHA1
5dcce8dd952c92f71522397bd0e0ad036b6ca436

SHA256
8a66cbeed0cdf951c5c104a4692d5a2b02fcdbb530827125f4050020ac86e906

SHA512
3e44b320b2bdd66b8b2bb51c599a0fb0a051917689ed90d80d69045530d6a5dbfb75657b5083e19828433aeaa0335053ea531f889c5535d19c2e63c15e75f36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-092NF.tmp\reshacker_setup.tmp
Filesize
2.5MB

MD5
3baaf568aa5142e9eeed4ec6cdd764b7

SHA1
089ec2257a57c0f2ee913a94e61c1c8272de6290

SHA256
153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268

SHA512
4a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-092NF.tmp\reshacker_setup.tmp
Filesize
2.5MB

MD5
3baaf568aa5142e9eeed4ec6cdd764b7

SHA1
089ec2257a57c0f2ee913a94e61c1c8272de6290

SHA256
153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268

SHA512
4a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287

Download Submit
memory/240-141-0x0000000000000000-mapping.dmp

Download
memory/1256-137-0x0000000000000000-mapping.dmp

Download
memory/1700-135-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1700-139-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1700-143-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads