Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
27/12/2022, 21:21
Static task
static1
Behavioral task
behavioral1
Sample
ReShade_Setup_5.5.1_Addon.exe
Resource
win10-20220901-en
windows10-1703-x64
7 signatures
150 seconds
General
-
Target
ReShade_Setup_5.5.1_Addon.exe
-
Size
3.2MB
-
MD5
0258f7d47fa48a5cb101ef5b011d8672
-
SHA1
04a5cd04e352e6741012108ce716f77249567cb9
-
SHA256
b7b2cda8df3347baecc2a794520a6869477675083d7439c9adf1842e32279ee2
-
SHA512
5663b88808bfb28044bd29c8db8a7bcdc5b1c26536df2bd3f9815895653dcf5ff336cc326e8722a41ddd816007fe5e7f97d17921401c71ff0dc2c436dc36489e
-
SSDEEP
98304:h7nfMe8EnFC2iIQmicdvDwJMn0isE7+A0G4:FMpciIQmivMnfs5Ac
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3316 ReShade_Setup_5.5.1_Addon.exe Token: SeDebugPrivilege 4552 firefox.exe Token: SeDebugPrivilege 4552 firefox.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe 4552 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4552 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4368 wrote to memory of 4552 4368 firefox.exe 69 PID 4552 wrote to memory of 776 4552 firefox.exe 71 PID 4552 wrote to memory of 776 4552 firefox.exe 71 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 5072 4552 firefox.exe 72 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73 PID 4552 wrote to memory of 4300 4552 firefox.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_5.5.1_Addon.exe"C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_5.5.1_Addon.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.2030524642\112373895" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1548 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1632 gpu3⤵PID:776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.2102011190\1873190597" -childID 1 -isForBrowser -prefsHandle 2252 -prefMapHandle 2276 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2236 tab3⤵PID:5072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.13.1576104463\1699332494" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3464 tab3⤵PID:4300
-
-