Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3tabby-1.0....64.exe
windows11-21h2-x64
5$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/UAC.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3resources/...rop.js
windows11-21h2-x64
3resources/...dem.js
windows11-21h2-x64
3resources/...end.js
windows11-21h2-x64
3resources/...ing.js
windows11-21h2-x64
3resources/...ing.js
windows11-21h2-x64
3resources/...ice.js
windows11-21h2-x64
3resources/...enu.js
windows11-21h2-x64
3resources/elevate.exe
windows11-21h2-x64
3resources/...AC.exe
windows11-21h2-x64
1resources/...nk.bat
windows11-21h2-x64
8resources/...64.dll
windows11-21h2-x64
1resources/...86.dll
windows11-21h2-x64
3resources/...se.vbs
windows11-21h2-x64
1resources/...64.exe
windows11-21h2-x64
1resources/...86.exe
windows11-21h2-x64
3vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3$R0/Uninst...by.exe
windows11-21h2-x64
4$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/UAC.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3Analysis
-
max time kernel
414s -
max time network
1142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/09/2024, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
tabby-1.0.211-setup-x64.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UAC.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
resources/builtin-plugins/tabby-terminal/src/features/pathDrop.js
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
resources/builtin-plugins/tabby-terminal/src/features/zmodem.js
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
resources/builtin-plugins/tabby-terminal/src/frontends/xtermFrontend.js
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
resources/builtin-plugins/tabby-terminal/src/middleware/loginScriptProcessing.js
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
resources/builtin-plugins/tabby-terminal/src/middleware/oscProcessing.js
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
resources/builtin-plugins/tabby-terminal/src/services/multifocus.service.js
Resource
win11-20240802-en
Behavioral task
behavioral12
Sample
resources/builtin-plugins/tabby-terminal/src/tabContextMenu.js
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
resources/elevate.exe
Resource
win11-20240802-en
Behavioral task
behavioral14
Sample
resources/extras/UAC.exe
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
resources/extras/clink/clink.bat
Resource
win11-20240802-en
Behavioral task
behavioral16
Sample
resources/extras/clink/clink_dll_x64.dll
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
resources/extras/clink/clink_dll_x86.dll
Resource
win11-20240802-en
Behavioral task
behavioral18
Sample
resources/extras/clink/clink_inputrc_base.vbs
Resource
win11-20240802-en
Behavioral task
behavioral19
Sample
resources/extras/clink/clink_x64.exe
Resource
win11-20240802-en
Behavioral task
behavioral20
Sample
resources/extras/clink/clink_x86.exe
Resource
win11-20240802-en
Behavioral task
behavioral21
Sample
vk_swiftshader.dll
Resource
win11-20240802-en
Behavioral task
behavioral22
Sample
vulkan-1.dll
Resource
win11-20240802-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240802-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240802-en
Behavioral task
behavioral26
Sample
$R0/Uninstall Tabby.exe
Resource
win11-20240802-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/UAC.dll
Resource
win11-20240802-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240802-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
General
-
Target
resources/extras/clink/clink.bat
-
Size
1KB
-
MD5
92f56a4f5897f221b6eee82cd60c5eff
-
SHA1
c9c89a5904b621befd4b16e9741af5010e52c322
-
SHA256
acc35e35933c5388616a37750a77308dc9ea04118b9f3b9dbeeb88e795183d8f
-
SHA512
7c3586332602ad3834b3727aab033c622546ce2a3392160d9b430182a8e467bc7185e13e695fea3a1c385ee5d06394426cdc2bad63b5319b18f1479009f55444
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 1712 powershell.exe 3 832 powershell.exe 5 832 powershell.exe -
pid Process 3332 powershell.exe 1712 powershell.exe 832 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 3632 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3332 powershell.exe 3332 powershell.exe 1712 powershell.exe 1712 powershell.exe 832 powershell.exe 832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 832 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2120 wrote to memory of 3632 2120 cmd.exe 81 PID 2120 wrote to memory of 3632 2120 cmd.exe 81 PID 3632 wrote to memory of 3044 3632 cmd.exe 83 PID 3632 wrote to memory of 3044 3632 cmd.exe 83 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3044 wrote to memory of 3632 3044 clink_x64.exe 81 PID 3632 wrote to memory of 2844 3632 cmd.exe 84 PID 3632 wrote to memory of 2844 3632 cmd.exe 84 PID 2844 wrote to memory of 3332 2844 cmd.exe 85 PID 2844 wrote to memory of 3332 2844 cmd.exe 85 PID 3632 wrote to memory of 1488 3632 cmd.exe 86 PID 3632 wrote to memory of 1488 3632 cmd.exe 86 PID 1488 wrote to memory of 1712 1488 cmd.exe 87 PID 1488 wrote to memory of 1712 1488 cmd.exe 87 PID 3632 wrote to memory of 6016 3632 cmd.exe 88 PID 3632 wrote to memory of 6016 3632 cmd.exe 88 PID 6016 wrote to memory of 832 6016 cmd.exe 89 PID 6016 wrote to memory of 832 6016 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\cmd.execmd.exe /s /k ""C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink.bat" inject "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink_x64.exe"C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\\clink_x64.exe" inject3⤵
- Suspicious use of WriteProcessMemory
PID:3044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-Host | Select-Object Version"3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-Host | Select-Object Version"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest -Headers @{\"cache-control\"=\"no-cache\"} -UseBasicParsing https://api.github.com/repos/chrisant996/clink/releases/latest | Select-Object -ExpandProperty Content"3⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest -Headers @{\"cache-control\"=\"no-cache\"} -UseBasicParsing https://api.github.com/repos/chrisant996/clink/releases/latest | Select-Object -ExpandProperty Content"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest 'https://github.com/chrisant996/clink/releases/download/v1.6.21/clink.1.6.21.f97375.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\clink\updater\v1.6.21.zip'"3⤵
- Suspicious use of WriteProcessMemory
PID:6016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest 'https://github.com/chrisant996/clink/releases/download/v1.6.21/clink.1.6.21.f97375.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\clink\updater\v1.6.21.zip'"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
1KB
MD5dd3474e6a72c08266c25f196f78b13fd
SHA1b70c6bbd7794b49b6b9afa6343987a7f553d1268
SHA25682acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318
SHA512cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d
-
Filesize
1KB
MD5d857ee2f6639a42a68ebfff90f404a00
SHA10325eb9c9ced9cd258d57e1d09eee72adff69129
SHA256ebcae1dae5289bfa4678ef3d9c558f530354dc87091843a5bf8873cfc8e6c7ee
SHA5122716c99710ba6963e16c8b862207f203ca3b5197d4bf51a3faf00a3dd48b2f8ac499fb99b4e018ff66c9ec8d7fa0805cb72d4b4fa6cef59f9368e9744601a38b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD54ffaa31f19440b338e62ac46e5810bc3
SHA1c4491fff894f40c65ed04cd7c9c43635ef0f44a3
SHA256fdef73d692e2e181075bf43a05cd7ebe551f6b1be31f4d471ff709f83a549612
SHA512f917d8a90e86f9542e56e8c80cda7362bb3fefdbbb7a094f5a518b35a74bb1394f5e7dfbc8a928a8de7a0bc7b40d4d5e9ce7192d1207dc287c18305e8b2c7aae
-
Filesize
74B
MD56fbfaa5b87464c61c6bbc93caf1b880c
SHA1681a6b7ecd31f4aaeb62a02d05b80fcafba617c5
SHA256dcaf04b661dac6559953a2a62b3c17c46ab95136a259dab782c9237c52e74513
SHA512a6e07d3758d76f92a49d2b4c9f04a94dacd57f052169f7f907ff937997937a0972d58d005a667bc0bdb9e0a163e8cafb67772d6b8e247349153de7e1ac448a4b
-
Filesize
1KB
MD51ee6eadb98288ed8f4c0523d0cb91d8e
SHA12089826e009345b82fe6090d386babc080161f6a
SHA256c6f161772224e23e32173e2775adf725e04b03370c9e48c1222c8901f12fdc00
SHA5126592fbc66d44c07308f5671536276a4e3f1ffb02a44d4d0cccdffcc48086bcd7405721297d19466fcb0bc3d78477402ed32554edd7dfc9bbdaef9394382acd32
-
Filesize
3KB
MD5b492373087082bfc6b39bdd522c4315d
SHA1b580bc7ed2c1863d2d6968947c6a3443260c000e
SHA256b53abdd9b9328676a39626b2e18f8f679e87374bd7a3bc4345d2fd323a8e2087
SHA512defde0919210478ca38dc2be92144155776f0a50ae0a5e0a3db6537dbb9eb4c06d0272feab87191eee26b41a6626419bb218ea93fe8987c48fa1aecd5e19d13a
-
Filesize
583B
MD53aa6d3522cb4fbd2993b5ea4c55ec65d
SHA1dd9c5da280756698ea2c0a8b2735ff0f4a5e31b9
SHA2567f7f7e9e0a4c1b0c36d0d9fb83e4eecb3e60337bd2807e580dbf3b7ed261d3f0
SHA5125a203a17b34a79e6e438ffd529a1fe6158cd23d306e1c1cda11d27fb19470b1ab82b084ec31b5b170a682db0318225a08dfcb19cc4c4e860b6782918ab8d27c7