Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://www.angusj.c...

windows10-1703-x64

8

https://www.angusj.c...

windows10-2004-x64

8

https://www.angusj.c...

windows11-21h2-x64

8

Resubmissions

16/05/2024, 16:02

240516-thaqkacf53 8

16/05/2024, 15:21

240516-srd9nsaf9x 8

16/05/2024, 15:16

240516-snm3eaag66 8

Analysis

  • max time kernel
    9s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.angusj.com/resourcehacker/reshacker_setup.exe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.angusj.com/resourcehacker/reshacker_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.angusj.com/resourcehacker/reshacker_setup.exe
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.0.1004542317\1931822946" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1812 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08fdf78-a3f4-4d85-bcff-957aa97979d1} 388 "\\.\pipe\gecko-crash-server-pipe.388" 1892 1862340fe58 gpu
        3⤵
          PID:4772
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.1.2074557064\865863803" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54cab637-aa7e-4a49-b97f-9d739625ce3e} 388 "\\.\pipe\gecko-crash-server-pipe.388" 2488 1861668a858 socket
          3⤵
            PID:2416
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.2.421922996\1092934225" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b39c8d2d-8543-4dfd-834c-91e59cb5c225} 388 "\\.\pipe\gecko-crash-server-pipe.388" 3004 1862624ea58 tab
            3⤵
              PID:1880
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.3.1663468406\118521779" -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3560 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5514d4ab-f380-4b77-a03e-6b2f295a38f4} 388 "\\.\pipe\gecko-crash-server-pipe.388" 3668 18627ebe158 tab
              3⤵
                PID:4452
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.4.1505332724\2065870968" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5092 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ac420a-acc3-496b-b36a-c1c394043986} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5108 1862695dd58 tab
                3⤵
                  PID:4280
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.5.1090475920\1093996933" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2b2dbf-5260-4ea4-ad56-06bcb3734729} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5244 186297bde58 tab
                  3⤵
                    PID:2320
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.6.311649821\1045529264" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f1709ad-cc62-4d6e-a612-76525105a294} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5432 1862a5a6f58 tab
                    3⤵
                      PID:1404

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  24KB

                  MD5

                  0dde86cb559d24d2abb38a5338b8d0ca

                  SHA1

                  dfbb1b537c0e019757716797b552c571d03f215f

                  SHA256

                  70df25cae1031c34845b7446d76d4b651939dfb59c0aba59e31ab35969f55f76

                  SHA512

                  97d5aa124ba71160384452aacd51904591c180e5129fd57f5bfb423df550cf32df9f7ee503ee2f741201ed26cefa9a64f5986a7b88e2d1310afae76c28d2273b

                  Download Submit

                • C:\Users\Admin\Downloads\reshacker_setup.1XnIKnDo.exe.part
                  Filesize

                  7KB

                  MD5

                  da4217e7e1212dbd974c37103b0f082d

                  SHA1

                  3434e728a9ac81003dc2ecdf1e613f6ee696cfef

                  SHA256

                  ace32d47a3d2d0c3576bcbd8f7c54abdf30895f40962bed98ffea904afe75a43

                  SHA512

                  b55a165a0df7f592e8b1cc0f1c64945f1896fbe901ba744af70cc58a5090bc90bbf28418efbadcc6d24af6a9704218aa3ab7d3b1eed0eb860b8810718b825006

                  Download Submit