hxxps://www[.]angusj[.]com/resourcehacker/reshacker_setup[.]exe

Resubmissions

16/05/2024, 16:02

240516-thaqkacf53 8

16/05/2024, 15:21

240516-srd9nsaf9x 8

16/05/2024, 15:16

240516-snm3eaag66 8

Analysis

max time kernel
11s
max time network
13s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16/05/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.angusj.com/resourcehacker/reshacker_setup.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	firefox.exe
Token: SeDebugPrivilege	2460	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe
2460	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 760 wrote to memory of 2460	760	firefox.exe	77
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 3100	2460	firefox.exe	78
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79
PID 2460 wrote to memory of 1480	2460	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.angusj.com/resourcehacker/reshacker_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:760
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.angusj.com/resourcehacker/reshacker_setup.exe
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.0.448880420\1146352655" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41458250-3bc3-438a-bfb4-779295a46f5c} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1832 1cba4f0ef58 gpu
    3⤵
    PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.1.479369019\1508051358" -parentBuildID 20230214051806 -prefsHandle 2332 -prefMapHandle 2320 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3925e7-c1a3-48b0-a977-dba56ca0dc68} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2360 1cb9828a858 socket
    3⤵
    PID:1480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.2.372823377\1944143145" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2baa9b1-dce3-4fb9-b030-0f88f14edf8c} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2968 1cba7f32f58 tab
    3⤵
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.3.540313016\1721498224" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3556 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1aa4608-5449-4698-978d-ab546c55efd5} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3640 1cbaab2d658 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.4.1814185062\1859350669" -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5188 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {421cab0a-f4b3-443a-8b30-bc71eb644869} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5204 1cbacb73058 tab
    3⤵
    PID:3652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.5.1679360911\1717877378" -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12d1194c-275f-4d4b-a05c-38027b36cd8b} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5316 1cbad396c58 tab
    3⤵
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.6.1131730430\568012492" -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d38ca651-8e45-4ce6-81bb-c79b0ee2d4f0} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 5516 1cbad397258 tab
    3⤵
    PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
679a07aa30bbeecc7df575c456f2a871

SHA1
a8cdaa2e5c8ef3dc8e1b378f4773002742aeb3a8

SHA256
0e1e4b3263ab27b5c60e9f442b5139f3e29cb33bd556f4d16d999d7ba9e05f95

SHA512
5e2bc91c84cad3ad7efeae30ec361a9b1c6b73dc080eaafa8095a3a04ce25a75c51e86cbfda4323a5f528fd4e82fb0342bb653f5ac9ff2db7e062dab3689bc0f

Download Submit
C:\Users\Admin\Downloads\reshacker_setup.lh1mO4CR.exe.part

Filesize
190KB

MD5
28a0ec4e601080c1b1b9939d3b11d80f

SHA1
c8719c5347065d560b1a1b1182edb0c10deec128

SHA256
4972f5abb35d4b43cee2036c9c7935f6514a05bee248c94c663fe1d7778c9ebb

SHA512
9ab9b38246344413c2b1d0e3b87d5413bec8dee888f291624ab95877b14c9bece8700ab2c9714f21c5b46c7d69494ca9c0707672dc8eb1a494bb7e4bd0fed0bf

Download Submit