Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://www.angusj.c...

windows10-1703-x64

8

https://www.angusj.c...

windows10-2004-x64

8

https://www.angusj.c...

windows11-21h2-x64

8

Resubmissions

16-05-2024 16:02

240516-thaqkacf53 8

16-05-2024 15:21

240516-srd9nsaf9x 8

16-05-2024 15:16

240516-snm3eaag66 8

Analysis

  • max time kernel
    65s
  • max time network
    61s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-05-2024 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.angusj.com/resourcehacker/reshacker_setup.exe

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.angusj.com/resourcehacker/reshacker_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.angusj.com/resourcehacker/reshacker_setup.exe
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.0.124108362\883891478" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1620 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c399b1dd-3913-488e-87e8-744c224f606d} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 1728 207b64f6258 gpu
        3⤵
          PID:2528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.1.1975926767\1715226321" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82986fc2-a519-4192-827b-7b80a01ce704} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 2136 207b63f9558 socket
          3⤵
            PID:1856
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.2.1285495624\1457981767" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c7fb65-6e67-432f-8bab-52ec36fd20b7} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 2740 207b6462e58 tab
            3⤵
              PID:2260
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.3.1112513636\584831740" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc07e577-1326-4178-a920-cd46b034ef9e} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 3624 207bb69ce58 tab
              3⤵
                PID:3340
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.4.1258248326\1171969395" -childID 3 -isForBrowser -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92eb652f-55f7-44b3-83a4-bbed99692ad4} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 4688 207bc175358 tab
                3⤵
                  PID:4448
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.5.1454527405\1981571848" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4852 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ea43f2a-3f21-4ef9-93f8-95b5a2fb20f9} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 4840 207bd4a0258 tab
                  3⤵
                    PID:4040
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.6.1974220901\260448698" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bda8cbfe-7294-43a2-ad61-b8cb0b95093a} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 5032 207bd4a0858 tab
                    3⤵
                      PID:4952
                    • C:\Users\Admin\Downloads\reshacker_setup.exe
                      "C:\Users\Admin\Downloads\reshacker_setup.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:4364
                      • C:\Users\Admin\AppData\Local\Temp\is-R0O4I.tmp\reshacker_setup.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-R0O4I.tmp\reshacker_setup.tmp" /SL5="$B005C,3504386,870400,C:\Users\Admin\Downloads\reshacker_setup.exe"
                        4⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:2320
                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt
                          5⤵
                            PID:4480
                          • C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
                            "C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe"
                            5⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            • Modifies registry class
                            • Suspicious behavior: AddClipboardFormatListener
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:4732

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Resource Hacker\ReadMe.txt
                    Filesize

                    1KB

                    MD5

                    538f09449b7ffc050fb12c809431032c

                    SHA1

                    99c017570afe0674a4968c687f3a037c6ae6d366

                    SHA256

                    f0e3b4d80329ceccc0a86b1a8c4c36410245ddb1de3d4ef80cd7db8cf4e59ec8

                    SHA512

                    4c5bab1c7245f0517f1e0d805ea9e67f765a4de077020d75be319f6fbd17841eb798d654909ccff7bc8c82563ff154f1d619797abf660ce3de0ca5ee73c3fbd0

                    Download Submit

                  • C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe
                    Filesize

                    5.9MB

                    MD5

                    263b8a401528b440657bbdffc64c6487

                    SHA1

                    4e6eb74dc21503925645b3a8e4e8cfc63c6fb237

                    SHA256

                    1227e484f32c34f026f311e60f1abae065e00f203153dbf0623152dedf5cafbd

                    SHA512

                    c267ce96d420a2cd3d89023b7745b207851a9c2ad18f474cc8f4eedd40505b4fd7db347b04f5517eca3caee8974971ce478966a395ed412a9f7b4a7383710053

                    Download Submit

                  • C:\Program Files (x86)\Resource Hacker\ResourceHacker.ini
                    Filesize

                    421B

                    MD5

                    085ea4adb406bfb99b1c0fd5426e56d2

                    SHA1

                    36a5f9efab071aad194006eedb20ae2f39d420b6

                    SHA256

                    4f1035c038026759f92addb25efddd5053dda8b3fc80fdec96dbc97b19487506

                    SHA512

                    d74578913b2a655d44827e061cd2592cf5ee22314a171de88549d15cdc2d42bf83277ce4b26b2f7198494020f7200bfff74e4f07598a9adae7589d2f147ed533

                    Download Submit

                  • C:\Program Files (x86)\Resource Hacker\unins000.exe
                    Filesize

                    2.6MB

                    MD5

                    55abbaa40e0eaeacaabad31eaf9692a0

                    SHA1

                    2684b820255d0c57c0fb8243dc38693fd31d862f

                    SHA256

                    120cfafb05cac4650cb299f05a38422580f0ed6b15bd495d46cf40216c8200f2

                    SHA512

                    9510d1c16c07764d21cac248a784064ec719463927befd9fb33506f6a46617a0e44436ee5d6177a45a69499806f9e4113fcee0ee7f3c09a73bad474e82c7975b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\is-R0O4I.tmp\reshacker_setup.tmp
                    Filesize

                    2.5MB

                    MD5

                    c5cac19a48b63987b767c8ce36a09282

                    SHA1

                    899834cb9faa1a04029403085a761c5a2aae0045

                    SHA256

                    9aec7890b56a86f175957b7a99fe57ce6234d16995e019d3008a5d599fdf8e28

                    SHA512

                    a796cdec441c82353fc160d92af14ade268172b7d232c8f1bcdd5c807b7dce3c4c4cb877b467446b54f058b0bc4219f82ee99df2851d83d121ced2b3674ab1a5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    cf6a3e7dea093888fe40de419a84d561

                    SHA1

                    24f352c447c5c385aa26824bdbf1e099311f7e5c

                    SHA256

                    319c5b0e9aebfd69ec9e9f8c4763fbee1a8c5b2688e200b91b307a0d246e2ffe

                    SHA512

                    4e10740b7219928092d36f6f5ba1f3bc2b7b20fef3a0ffae73a38d51398c8c05130037ebdb918d36db839f71bed522e9747b3076c7a43156d0cefa5c60d166ff

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\477949b4-cceb-4486-95bb-be478cdf0b6f
                    Filesize

                    746B

                    MD5

                    8b234c947b7ee7eadccbbb2bdc132cc6

                    SHA1

                    b8fe6585b0932d21ae53be2a069659859f439ba7

                    SHA256

                    883601364825cfa32239494ebe918aff6cc55172bd9e4393b1349861bbe9fe52

                    SHA512

                    8bb240c4cca94a4faf8d6f4adcca088535b2c28e90a07245d96d20b986ec7ae75018c297433fe9001ce0f256056b3b4459cf9fe3e122dc5b852bcb1d9b673fac

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8d0c63d9-acfa-474d-bd7e-c7a97131191a
                    Filesize

                    10KB

                    MD5

                    3d7ec26816f1a7dc72097b246ad783cc

                    SHA1

                    1026499b46be0343cd6d7d26ac8a6d947c1ee051

                    SHA256

                    22c3546bf9257a7cc42b0321963d691724013ef273933f8779472d9ec0e5c389

                    SHA512

                    44936e38badfd71d6fa358267e34613113c7889a5caab6a628edc3cbdb674a3d1bdf49985ef2ca1c943088f376d876cea7bbc26fd6efa0c512085e06ea893c0e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    811cba473fe92c82b02c00eee4f1ac1c

                    SHA1

                    e04d27aa67f9affed061e47e25759919a2a0ece8

                    SHA256

                    7bd17b71888d6298ac44c1ac6852736d80d391f1539bfcfd6ec8da0844b711ab

                    SHA512

                    ef446961577313c30092d7f16994143f1824af2e3d8221f5a80356e260ba622325cb63c20b13bfba75d7b6ef887ad2cb3e125c209b4b88b43003992cd0dd2ac8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    996B

                    MD5

                    f214b509991579173d62b68ee1baa6de

                    SHA1

                    971440efdb1a24c41aed3a1b5ca6158f19f6b4e0

                    SHA256

                    d8c94f7d3d2ef6da4b326d016f29f59f068d6d295ee49e5e8c482fe8305eebcd

                    SHA512

                    187b72b98d8afdb4f710aa300adf38ae88aeddd2193a7019ad6035780806b1e8be887d5257b26162007a2b64541b9d1c77e5307b391723facd4eede534d619c1

                    Download Submit

                  • C:\Users\Admin\Downloads\reshacker_setup.4HT2Gqc9.exe.part
                    Filesize

                    7KB

                    MD5

                    da4217e7e1212dbd974c37103b0f082d

                    SHA1

                    3434e728a9ac81003dc2ecdf1e613f6ee696cfef

                    SHA256

                    ace32d47a3d2d0c3576bcbd8f7c54abdf30895f40962bed98ffea904afe75a43

                    SHA512

                    b55a165a0df7f592e8b1cc0f1c64945f1896fbe901ba744af70cc58a5090bc90bbf28418efbadcc6d24af6a9704218aa3ab7d3b1eed0eb860b8810718b825006

                    Download Submit

                  • C:\Users\Admin\Downloads\reshacker_setup.exe
                    Filesize

                    4.1MB

                    MD5

                    02eb693dcfb90a696d191badbcf314ce

                    SHA1

                    b1d0352c35d7da251e2fa19ecbe8c1e5286f898f

                    SHA256

                    246457363396dcea4cc3d19ce2a431897bac948ae1694d3e87cc0ebaf2ea39f5

                    SHA512

                    17b6a5f2446459c058bd035df784adad0e58aa7438a56e02fd75c593eb6bae82719b6293de6b1504e1089cade44b5e137771991816d616c08f92eb2c249cc159

                    Download Submit

                  • memory/2320-125-0x0000000000400000-0x0000000000698000-memory.dmp

                    Filesize

                    2.6MB

                    Download

                  • memory/2320-177-0x0000000000400000-0x0000000000698000-memory.dmp

                    Filesize

                    2.6MB

                    Download

                  • memory/4364-116-0x0000000000401000-0x00000000004B7000-memory.dmp

                    Filesize

                    728KB

                    Download

                  • memory/4364-178-0x0000000000400000-0x00000000004E2000-memory.dmp

                    Filesize

                    904KB

                    Download

                  • memory/4364-113-0x0000000000400000-0x00000000004E2000-memory.dmp

                    Filesize

                    904KB

                    Download

                  • memory/4732-187-0x0000000000910000-0x0000000000F2B000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/4732-188-0x0000000000910000-0x0000000000F2B000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/4732-195-0x0000000000910000-0x0000000000F2B000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/4732-209-0x0000000000910000-0x0000000000F2B000-memory.dmp

                    Filesize

                    6.1MB

                    Download