080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66

Analysis

max time kernel
109s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
01/01/2024, 15:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

reshacker_setup.exe
Size

4.0MB
MD5

e846ef7353af351ad4a6e1d49638b500
SHA1

c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256

080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512

e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
SSDEEP

98304:HEnF3qBlk/aDK9b0SVtlOMKTNdSLUHBrICc:y3KkyDgQSVKMKTeIHA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3180	reshacker_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Resource Hacker\is-S5D33.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-PEB27.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-7J3GV.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-SFI6V.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-OG8DR.tmp	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\samples\sample2.dll	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-UV478.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-50KUK.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-JH7OB.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-2UIR3.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-TEKI8.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-RJEBV.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-A8KNN.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-A7MAB.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-P3DU6.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-77TLJ.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-C2GEU.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-1K1OD.tmp	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-B4L0F.tmp	reshacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\unins000.dat	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\unins000.dat	reshacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-0IQJS.tmp	reshacker_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	reshacker_setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3180	reshacker_setup.tmp
3180	reshacker_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3180	reshacker_setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3128	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3180	4276	reshacker_setup.exe	26
PID 4276 wrote to memory of 3180	4276	reshacker_setup.exe	26
PID 4276 wrote to memory of 3180	4276	reshacker_setup.exe	26
PID 3180 wrote to memory of 2816	3180	reshacker_setup.tmp	87
PID 3180 wrote to memory of 2816	3180	reshacker_setup.tmp	87
PID 3180 wrote to memory of 2816	3180	reshacker_setup.tmp	87

C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe
"C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\is-5DB9L.tmp\reshacker_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5DB9L.tmp\reshacker_setup.tmp" /SL5="$60052,3411549,870400,C:\Users\Admin\AppData\Local\Temp\reshacker_setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt
    3⤵
    PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5104

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
"C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe"
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Resource Hacker\ReadMe.txt

Filesize
1KB

MD5
eee9717c2fd4f926c23b6fbbd7174be5

SHA1
1596921b80753e25dacff3499a8ecd3e81e6d7c9

SHA256
afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203

SHA512
778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a

Download Submit
C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe

Filesize
95KB

MD5
0ce3a9e18f4bab85f224e8d7b401ecb0

SHA1
c175e9ff825cb2857317478c3506708e2226e080

SHA256
e38a84e94c25a9ed7e5966cbd8bb51588a46c9e0c68140dbc626dd160af4f698

SHA512
e7e8f6c9c3cca7c40eb020edffd4f1bf6082d3a13ad193963592accdd1f2e937b28b8733a622a4e647f8cc4bf319f7c8f4d0c6184d3ce054b6efd92901676b0c

Download Submit
C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe

Filesize
381KB

MD5
1f34eba86d9542eae8db5264bafec5cd

SHA1
85ad90e7c491b2f7a2469e79e5660b1a8b1eef50

SHA256
ab71ac81f924fdcd6b465d813cbfee143cbf647c17ed1efff6cb465460b57bd2

SHA512
0715366113eaa7d4dac9fbc0e46470bb0f813c36f438678ffd5f16f0115bf4e4e610b435f0fc0a554a0840bf79ae1df0f101aa3511693eec629c6e4270a58d81

Download Submit
C:\Program Files (x86)\Resource Hacker\samples\sample2.dll

Filesize
385KB

MD5
7654b1e849b2cc300907c4a58607b755

SHA1
f2e13a50978564406feca949edaf4c282cf0f225

SHA256
009460737c91fa5907271aa5745622cc68e63cd70045350fcaa2c48c87ca7bd0

SHA512
d6a6ada44755f7698fed8a03f179a2ff7bd9cacc93f934839993bcd0e992e7d22c1818720908d2acb1bad8a0d704b897508643b2607fac6c03d064e53c5c85f3

Download Submit
C:\Program Files (x86)\Resource Hacker\unins000.exe

Filesize
664KB

MD5
0534b6f71ae5262ff6cc4d3ff4b150db

SHA1
4cd0f3a0b8f94bb4692c55d0ffbd365480768b4d

SHA256
4a15718a31377c28a54f4ab9baef8601e9990581e353778079251db6a1eb5603

SHA512
56b90b4a22e21254ffd76e644ec0e9de977fe4e1ed47b910cfae46f7039825bc66be46f9d52af0f06988375dcdfa2b84569b7e9263ca61357a6bf875341d6403

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5DB9L.tmp\reshacker_setup.tmp

Filesize
92KB

MD5
22721359139b6deffae433082fbd98f3

SHA1
ab148b4473b9285c25cd3068fbc3f4eb9c4fbc56

SHA256
2dbdae33baff46125df2014b4532a6914409e7c46a410dc331985f6cb4e7ed08

SHA512
a0c6cafd650a3d7226aa859bb8d27d55c77c9e5567c7b45e1b8eabb1f919a65ffd6188303de9e64bb3336387935e28618cd984ee4ac01310e13ec2b9adf1df14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5DB9L.tmp\reshacker_setup.tmp

Filesize
377KB

MD5
79823ee5acd82b96251ee3214189854b

SHA1
491c360b33fc57d21c2989c506284f1d9f3bf11f

SHA256
c64a3b77c8cdf11cdfcca978a07ef1e67cc133da4730bfc354697cf6e0f70ddf

SHA512
8f6fbf474a245093208a59621131241a2132196155cafb45e8f7c661e91d40e672529d0db95037a0bfcac6d0317d77b8246fd03c807972148a13f8cbf5417ac4

Download Submit
C:\Users\Admin\Desktop\ApproveMeasure.pub

Filesize
92KB

MD5
d4100a2250dc70f312c808d95f65d988

SHA1
a07a0222312a49517113c287c55cad4ff6d0d12b

SHA256
1d32cfd87007123ab8e17eaf879833c72f5b68cb5312af03f98c6483006d96d0

SHA512
cf6b560a176bebf0c5fd9af08c31ae0d88dcfa10d646b658c5355386e134e337cae13a30e3ff06177f7efdea7e91f8c5166dadd423713c4381a4808233781824

Download Submit
C:\Users\Admin\Desktop\CheckpointInstall.asp

Filesize
92KB

MD5
2e1c9aaf0dd7458470adf3c8cad42d71

SHA1
fd23729b7d7a30cff7529f7a7a2b7c7ba60a53d7

SHA256
7aec2d06e7628e8b72a85bf05e925f8bb238726a5ca2411c69f4f023b6bd0eff

SHA512
8f197cd29eac8d4132a8fbd1e10d50fc5b7aa254d0b5246bed6bb090be2eb0013b7bed037efe1bf4c5a5ac291a62747d6237057c6bd5a1ec9d7820f33eedf434

Download Submit
C:\Users\Admin\Desktop\CloseUnblock.mid

Filesize
92KB

MD5
f1f1ec29105b374948cbaa9419f6069e

SHA1
4e1375ee142385d72a95b3616c6ee003ba145b13

SHA256
92139dee0cf1b3c745a73552dc8a574551a6a2d3a325e5081895a080dc182878

SHA512
59cb2e79837c57999c28060859d7bf1fe42f7ccd388776a93c360a55d4ea5f9e689c62b2a47b16f54bc096b0d4f79e2834b409a386a5b1f428ed473a26e0028f

Download Submit
C:\Users\Admin\Desktop\DismountConvert.mov

Filesize
92KB

MD5
160c1084680a45c143ac20500078f5dc

SHA1
24c45245b6f661f2529b0b08642a5fad32848466

SHA256
283b39ed9776c2401c34e2d589326fba8f65fea2d871ab3e96086d438e0d08b7

SHA512
791f8964c33dd1536a5707b41f6f736c4503989d7db1c0818154cb07e1e49b34ae6fbda3c5108e3878fe3601a3fb52c24c2c2a0426ca68513467b939d4eabc1e

Download Submit
C:\Users\Admin\Desktop\EditSwitch.ocx

Filesize
85KB

MD5
29bbc97815e3d3021a65866370093bfd

SHA1
def841f4f74eaa74d51baa287c190ef542eec600

SHA256
fd90c6cf763eb749d2f5d3b983a52c9ab71feb38cf52c6fce45ff65923438db4

SHA512
13129dfad86682f9390a25eea868842f0a124d81adcaedce28950bf84fdf5a72526a9a36c1059d71ed45f1650b6546bcac6a7637f058ae0cd3ede6274f2fafeb

Download Submit
C:\Users\Admin\Desktop\EnterSend.vstx

Filesize
167KB

MD5
c15dc1f26c7937df9aff4a508b484e37

SHA1
4930e295eba2c6d73e419631d7d36bd07498fab6

SHA256
065d19fa05977026416f7387361e095b270f75c913ef5a9a03dad44873aa72b2

SHA512
8931d462d238a70b17b71fd984e09e97e39cd4a5458c220c9cc2f85bfb82b6e6e86a8678415d570717d38b242ad3f647e07dcc87bb226557d21882b8fbe67598

Download Submit
C:\Users\Admin\Desktop\GroupRegister.bmp

Filesize
92KB

MD5
852fc5103517ada17916ed26ab4f09dd

SHA1
e4eb25da319bf33f12bbc517eafda8a710866703

SHA256
60adfb165cf948cce17bd9877c49963c45f4af048bbecde5e620ea87cee4f0ef

SHA512
c0347fc10a868169ee39575ee324cc19b1b5292b20ada20182fbe0670de7b83803af38b7e63db8520d4a36abd24e6d95d9d772a64367e3d6fa906aebb6282a7f

Download Submit
C:\Users\Admin\Desktop\SkipLock.jpg

Filesize
124KB

MD5
4f1870ab08536fb23a833dece927d5a8

SHA1
0c7ae2811732b459750a07d7292eba9ef7f28a68

SHA256
3093a1bd0d83c4d0b6e3b334f4db9f3815975f0a04bab328b2703a6a89777e61

SHA512
04edd0d76f5b8f3db8ff987a2bc4915890679f1d0a1011181911b150ad5e1163c2172b594f97ddf6c72791d65b8cdfd1e60e0630088761e57d8f58d718033b32

Download Submit
C:\Users\Admin\Desktop\StepBackup.ADTS

Filesize
191KB

MD5
51dbfcc4e656e8bd793c8d9d39849fe2

SHA1
9fab1a1c154a8f6c1916bd2c9ac08755151ce9b1

SHA256
355d77f9d94c10526e2fed2b3c824346e1a6e49ba6f7999ed2277bb1ba8924c3

SHA512
36f43442b3fd23aa4e811434f783ee39c4e7a48b5793bd6d75b11f38e597627dc20e7d224c6f7b1b58c0d849711f53e91866e115c368fa95513157fc149bf390

Download Submit
C:\Users\Admin\Desktop\SyncCompare.wvx

Filesize
100KB

MD5
203bdfaffd158d4bbfdb46efcfff0f88

SHA1
162615a9e723e669e74dd491e5bb37666a6ad43c

SHA256
90754dba73b72d053b548b23568f46b031903e041bb0daf035787929a2aa94e8

SHA512
59e8bf96d350ea2f02ab5f739ba96d73b8e1413ef13bdf1ec96ab6d3bb67df1603c1ff4f108a6e69b3c7c0fab12068ba0bfa77416c280d774a3a18167f3f4576

Download Submit
C:\Users\Admin\Desktop\UndoAdd.jfif

Filesize
92KB

MD5
3c8029b5dc5f3ea0d862be9940417784

SHA1
33bbbfe26d493c8eda03193ef86b6509b7fd3876

SHA256
c4a8eb49121d593e60de8eeb895ec2b2b1e3b2b97648fdad9c2fbb1a679d473e

SHA512
a0c62b365a0241d430017e5122f25480b18de4d2fef29b545cafdce180ecbf4a811f6a386f5131a14f2feec8a014d0abf2da7ca73b7d37aa39dce6bb35861efd

Download Submit
memory/3180-16-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3180-14-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3180-99-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3180-12-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3180-9-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3180-6-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4256-116-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download
memory/4256-119-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download
memory/4256-112-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4256-118-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4256-113-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download
memory/4276-100-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4276-0-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4276-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4276-2-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download