719ba6e1ffc43e8bc09325caa5ccce24dc0a93751e67c17ce758acaf2d81d594

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/11/2022, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HashTab-V6.3 完美汉化版/HashTab64.dll
Size

1.2MB
MD5

08cf369a6a98a4b36b04cc720d4ba2cd
SHA1

f5a579215cd7428c960066cf0125f912ba7d7d42
SHA256

c4b1a0bd0d7a1648e95c4cddd854cf63b1ffe0d6b17ceeaeb04c73ac8759d39e
SHA512

12c6ebae3f84435836a17de5eef96b7587c0b88e828349be45f6fa69cfc60a2200c8073ca22a6537d8864b73669ae581910c0c108010fe169aff73eec3974198
SSDEEP

24576:KqSCTJeq4W2L/yF6/D48i8Kfy5w0aEJiBjkL9hhKfVwe:qCgGF68kK6mtTBChwV9

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ = "IHasher"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\CLSID\ = "{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版\\HashTab64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\ProgID\ = "HashTab.DropTargetImpl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ = "IHashPage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\CurVer\ = "HashTab.HashPage.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\HashTab	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\ = "IHashMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\HashTab.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\HashTab\ = "{8A56567E-A333-4843-B6E1-C3A262E41D8C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\ = "IReportProgress"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\ProgID\ = "HashTab.HashPage.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1\CLSID\ = "{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ = "IDropTargetImpl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\ = "DropTargetImpl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HashTab-V6.3 完美汉化版"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\ = "IHashMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\HashTab-V6.3 完美汉化版\HashTab64.dll"
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-54-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download