Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
HashTab-V6...32.dll
windows7-x64
1HashTab-V6...32.dll
windows10-2004-x64
1HashTab-V6...64.dll
windows7-x64
8HashTab-V6...64.dll
windows10-2004-x64
8HashTab-V6...ab.bat
windows7-x64
8HashTab-V6...ab.bat
windows10-2004-x64
8HashTab-V6...ab.bat
windows7-x64
8HashTab-V6...ab.bat
windows10-2004-x64
8Analysis
-
max time kernel
140s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
HashTab-V6.3 完美汉化版/HashTab32.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
HashTab-V6.3 完美汉化版/HashTab32.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HashTab-V6.3 完美汉化版/HashTab64.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
HashTab-V6.3 完美汉化版/HashTab64.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HashTab-V6.3 完美汉化版/卸载HashTab.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
HashTab-V6.3 完美汉化版/卸载HashTab.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HashTab-V6.3 完美汉化版/启用HashTab.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
HashTab-V6.3 完美汉化版/启用HashTab.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
HashTab-V6.3 完美汉化版/卸载HashTab.bat
-
Size
704B
-
MD5
3adfe17f52697ce09b1bcdc16e294a8f
-
SHA1
e2bdcf9f4136491e59a831b2cb3ca7ebf0d127fc
-
SHA256
7a1ed410e90c1228d87956ade23f5756be2e1836b445b284db887caa1c438855
-
SHA512
c563cd7b8e0e2ffb038614f6d04571911c1a99bec6d0d3b4769db8499569e5a7b3ddb94f846983af6f6a643e9408252474a78a24e05d9e548ff62342474b4b3f
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Kills process with taskkill 1 IoCs
pid Process 1480 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1488 regsvr32.exe 980 regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1480 taskkill.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe Token: 33 768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 768 AUDIODG.EXE Token: 33 768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 768 AUDIODG.EXE Token: SeShutdownPrivilege 1688 explorer.exe Token: SeShutdownPrivilege 1688 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1632 1500 cmd.exe 28 PID 1500 wrote to memory of 1632 1500 cmd.exe 28 PID 1500 wrote to memory of 1632 1500 cmd.exe 28 PID 1500 wrote to memory of 1488 1500 cmd.exe 29 PID 1500 wrote to memory of 1488 1500 cmd.exe 29 PID 1500 wrote to memory of 1488 1500 cmd.exe 29 PID 1500 wrote to memory of 1488 1500 cmd.exe 29 PID 1500 wrote to memory of 1488 1500 cmd.exe 29 PID 1500 wrote to memory of 980 1500 cmd.exe 30 PID 1500 wrote to memory of 980 1500 cmd.exe 30 PID 1500 wrote to memory of 980 1500 cmd.exe 30 PID 1500 wrote to memory of 980 1500 cmd.exe 30 PID 1500 wrote to memory of 980 1500 cmd.exe 30 PID 1500 wrote to memory of 1448 1500 cmd.exe 31 PID 1500 wrote to memory of 1448 1500 cmd.exe 31 PID 1500 wrote to memory of 1448 1500 cmd.exe 31 PID 1500 wrote to memory of 1480 1500 cmd.exe 32 PID 1500 wrote to memory of 1480 1500 cmd.exe 32 PID 1500 wrote to memory of 1480 1500 cmd.exe 32 PID 1500 wrote to memory of 1688 1500 cmd.exe 34 PID 1500 wrote to memory of 1688 1500 cmd.exe 34 PID 1500 wrote to memory of 1688 1500 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\HashTab-V6.3 完美汉化版\卸载HashTab.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\reg.exeREG.exe query "HKU\S-1-5-19"2⤵PID:1632
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u "C:\Windows\System32\HashTab64.dll"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1488
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u "C:\Windows\System32\HashTab32.dll"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:980
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\HashTab" /f2⤵PID:1448
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\explorer.exeexplorer2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:768