Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
OpenHashTab_setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
OpenHashTab_setup.exe
Resource
win10v2004-20240508-en
General
-
Target
OpenHashTab_setup.exe
-
Size
10.3MB
-
MD5
49356c6f4ece9852430d888542883102
-
SHA1
11f025d8f43d5411312eed035b09c813d01d7cab
-
SHA256
9966e3ed6693dfc42904a2aaa1b294a2cd1edd059ef795729a76956cc21cd239
-
SHA512
52e8fbb83b1f99bbc58b97eeed7bcda0053888e3423e608f3e09762313a6d0bfee78d353ea36048971ccf68086ca1879cfe5000d608b18148686741d9b5bd15c
-
SSDEEP
196608:NA/XXiLssSWCVCbfgj0UFw/uRPl45Pqp65yT9v3rN7sW58NTL:2/HiMWuCb4gePlSPqp3x3r9cNv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1676 OpenHashTab_setup.tmp -
Loads dropped DLL 6 IoCs
pid Process 856 OpenHashTab_setup.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\OpenHashTab\\OpenHashTab.dll" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32\ThreadingModel = "Apartment" OpenHashTab_setup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1sum\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha224\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha512 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha512\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab\ = "Checksum file" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\OpenHashTab\\StandaloneStub.exe\" \"%1\"" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab\DefaultIcon OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.xxh3-64\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sums\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32\ThreadingModel = "Apartment" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\AllFilesystemObjects\shellex\PropertySheetHandlers OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha256sum OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sfv\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\ = "OpenHashTab Shell Extension" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha256sums OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-384 OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.blake2sp OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.xxh64\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.hash OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.hash\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.ripemd160 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1sums\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-384\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha224 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-512\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-224\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9} OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha384\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\AllFilesystemObjects\shellex\ContextMenuHandlers\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9} OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5sums OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.xxh64 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.xxh3-128\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md4 OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab\shell\open\command OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-256\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\OpenHashTab\shell\open OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1 OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1sum OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha1sums OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.blake2sp\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\OpenHashTab\\OpenHashTab.dll" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\AllFilesystemObjects\shellex\PropertySheetHandlers\{23b5bdd4-7669-42b8-9cdc-beebc8a5baa9} OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md4\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sfv OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-256 OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\AllFilesystemObjects OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5sums\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha512sums\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.ph256-528\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.xxh32\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\AllFilesystemObjects\shellex\ContextMenuHandlers OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5sum OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.k12-264\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.ph128-264 OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.md5sum\ = "OpenHashTab" OpenHashTab_setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha224sum\ = "OpenHashTab" OpenHashTab_setup.tmp Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sha3-224 OpenHashTab_setup.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1676 OpenHashTab_setup.tmp 1676 OpenHashTab_setup.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1676 OpenHashTab_setup.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28 PID 856 wrote to memory of 1676 856 OpenHashTab_setup.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\OpenHashTab_setup.exe"C:\Users\Admin\AppData\Local\Temp\OpenHashTab_setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\is-TKQOK.tmp\OpenHashTab_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TKQOK.tmp\OpenHashTab_setup.tmp" /SL5="$70120,9830692,832512,C:\Users\Admin\AppData\Local\Temp\OpenHashTab_setup.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1676
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD50ad5f016db8d7c911ba2bd2470fa707c
SHA1f2a546b69086c0e6f58ed101306b260ed6572d41
SHA2560578254906516cdcf2237fe7793c80643e1793b063f82be214b04c57515c36e2
SHA512cff8782dbe8891d4b53ef596b0f5b3b8e7455f1d1de3ba0937a979ad5f483f23e324a2d90846a64e0c506eb7bcba2bf9f358f952e00b8d8c2d4a6982d008f389
-
Filesize
415KB
MD58c8d31710423915facaf2f9eecf3f05a
SHA1f03a6fc79991b09492ab2801a74c90a34ed8132c
SHA25609193aa394884b51e246080c8677779c05d900c5338fbfb9c4a45e075109212b
SHA51240bfa84c9a604bf48027fba9aa5c1147c543c6de2e00d44bbdba6dd8176651fdc9f5f5e36ad393398c3d32c737d912887c4771878d3d46d42920e14f84c4cdf8
-
Filesize
459KB
MD5464e0d21c1146e5055f8d585f14e7698
SHA1a97d691ad14d262a5fe465087760716adca52433
SHA256208fa335987d1f9a3daaab317d38f2c7dbc8c2eccada5b801d37c4008a5bf363
SHA51287ac0e3805bd0ba4e853087e7d0adccfd9661ccc880951f2f26d8be9e7c22407e541a5008d3442829e5d5c8523926b2a101cd0e198efce9b4152cecb411f4718
-
Filesize
451KB
MD5f8be4899d77a7a8bf9ff9b8ad1dc264f
SHA19dd0008dfe8bf9ff0325e892ce445121e4513237
SHA25660bbc0e3f6d9a129eb17e1c8395f027b4bfc03d9cd637b8577033ef59df80f6c
SHA5122be3b5652536ee7c9cabf9019271639d4e02c67f8ba6c6e696074113b8be8f5d2f4368a64f6104552963748d47524ad8a11792dad5fff52dcfb97c056ca7f0bd
-
Filesize
374KB
MD58d15352ee978639c38fe10c7685c54d0
SHA1d2af35377c0bca45e3174f6079f749345d9eb36e
SHA2567688bb081b8284d79efb47de464863e00c4d1ce92f82e26ab9684a9934ee2c04
SHA512cce27b696af8a47dcbe00d0f679d5c310d53af40648b181e4254abbca9fdc7127cbbbb4de33117abe70ea076c19b835a1b8e42e061663ee4393e949ef1096e9a
-
Filesize
907KB
MD520e816a518b540c57b20e602b9b80815
SHA18bf329a5f89079738084dd0cdc13a87c8d22d737
SHA2564d106bb9f1d43fd17c9f710dc6e9a8d6962d4c6adf3306fce1ed96bc08f6f02b
SHA512b5de9bd67360a5674b505eb2dcd736b9fed3f58185fe015731b550e87a6455fec8744d46265ced0ebea9ef032df4b65d953f74fca2770fab296e9f14fdf06cb0