Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe
Resource
win10v2004-20220812-en
General
-
Target
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe
-
Size
457KB
-
MD5
4303740f657093a0dbcc65ffb1896700
-
SHA1
41f6fc777321df9088b468b7a233dfc27276b343
-
SHA256
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
-
SHA512
eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
SSDEEP
12288:QSo6xg5kN530xuooqMVwsgS0Tyv9H7ef/:Y6u5030x+gS0TyvN+
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\avphost.dll acprotect \Windows\SysWOW64\avphost.dll acprotect \Windows\SysWOW64\avphost.dll acprotect -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 3 IoCs
Processes:
KHATRA.exeXplorer.exegHost.exepid process 1500 KHATRA.exe 1136 Xplorer.exe 1400 gHost.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Processes:
resource yara_rule C:\Windows\SysWOW64\avphost.dll upx \Windows\SysWOW64\avphost.dll upx \Windows\SysWOW64\avphost.dll upx -
Loads dropped DLL 6 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeXplorer.exeregsvr32.exeregsvr32.exepid process 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1136 Xplorer.exe 1136 Xplorer.exe 2036 regsvr32.exe 1604 regsvr32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gHost.exedescription ioc process File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\z: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\a: gHost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
KHATRA.exe4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1736-55-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1500-78-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1136-79-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1400-80-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1736-114-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1500-115-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1136-117-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral1/memory/1400-118-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 19 IoCs
Processes:
OUTLOOK.EXE4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\KHATRA.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\avphost.dll 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\SysWOW64\avphost.dll 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE -
Drops file in Windows directory 14 IoCs
Processes:
KHATRA.exe4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeOUTLOOK.EXEdescription ioc process File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File created C:\Windows\KHATARNAKH.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File created C:\Windows\System\gHost.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\system\gHost.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\KHATARNAKH.exe 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe File opened for modification C:\Windows\inf\Autoplay.inF 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
OUTLOOK.EXE4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\ = "_Explorers" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ = "UserProperty" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ = "_TaskRequestDeclineItem" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\ = "Mail Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ = "ItemsEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ = "IMail" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ = "_FormNameRuleCondition" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ = "OlkSenderPhotoEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ = "_Inspector" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ = "_CalendarSharing" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 1592 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exepid process 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Xplorer.exegHost.exepid process 1136 Xplorer.exe 1400 gHost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exeOUTLOOK.EXEpid process 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1500 KHATRA.exe 1592 OUTLOOK.EXE 1592 OUTLOOK.EXE 1592 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exeOUTLOOK.EXEpid process 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe 1500 KHATRA.exe 1592 OUTLOOK.EXE 1592 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OUTLOOK.EXEpid process 1592 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exeKHATRA.exeXplorer.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1736 wrote to memory of 1500 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe KHATRA.exe PID 1736 wrote to memory of 1500 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe KHATRA.exe PID 1736 wrote to memory of 1500 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe KHATRA.exe PID 1736 wrote to memory of 1500 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe KHATRA.exe PID 1500 wrote to memory of 1136 1500 KHATRA.exe Xplorer.exe PID 1500 wrote to memory of 1136 1500 KHATRA.exe Xplorer.exe PID 1500 wrote to memory of 1136 1500 KHATRA.exe Xplorer.exe PID 1500 wrote to memory of 1136 1500 KHATRA.exe Xplorer.exe PID 1136 wrote to memory of 1400 1136 Xplorer.exe gHost.exe PID 1136 wrote to memory of 1400 1136 Xplorer.exe gHost.exe PID 1136 wrote to memory of 1400 1136 Xplorer.exe gHost.exe PID 1136 wrote to memory of 1400 1136 Xplorer.exe gHost.exe PID 1736 wrote to memory of 1708 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1708 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1708 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1708 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1708 wrote to memory of 1592 1708 cmd.exe at.exe PID 1708 wrote to memory of 1592 1708 cmd.exe at.exe PID 1708 wrote to memory of 1592 1708 cmd.exe at.exe PID 1708 wrote to memory of 1592 1708 cmd.exe at.exe PID 1736 wrote to memory of 1184 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1184 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1184 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1184 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1184 wrote to memory of 688 1184 cmd.exe at.exe PID 1184 wrote to memory of 688 1184 cmd.exe at.exe PID 1184 wrote to memory of 688 1184 cmd.exe at.exe PID 1184 wrote to memory of 688 1184 cmd.exe at.exe PID 1500 wrote to memory of 764 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 764 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 764 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 764 1500 KHATRA.exe cmd.exe PID 764 wrote to memory of 1668 764 cmd.exe at.exe PID 764 wrote to memory of 1668 764 cmd.exe at.exe PID 764 wrote to memory of 1668 764 cmd.exe at.exe PID 764 wrote to memory of 1668 764 cmd.exe at.exe PID 1500 wrote to memory of 1588 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 1588 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 1588 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 1588 1500 KHATRA.exe cmd.exe PID 1588 wrote to memory of 1664 1588 cmd.exe at.exe PID 1588 wrote to memory of 1664 1588 cmd.exe at.exe PID 1588 wrote to memory of 1664 1588 cmd.exe at.exe PID 1588 wrote to memory of 1664 1588 cmd.exe at.exe PID 1736 wrote to memory of 2044 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 2044 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 2044 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 2044 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 2044 wrote to memory of 2036 2044 cmd.exe regsvr32.exe PID 1736 wrote to memory of 1700 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1700 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1700 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1736 wrote to memory of 1700 1736 4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe cmd.exe PID 1500 wrote to memory of 840 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 840 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 840 1500 KHATRA.exe cmd.exe PID 1500 wrote to memory of 840 1500 KHATRA.exe cmd.exe PID 1700 wrote to memory of 1628 1700 cmd.exe netsh.exe -
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe"C:\Users\Admin\AppData\Local\Temp\4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD52aba9469865c28e00a3ca0ff21661d0b
SHA1ecf40e88a3d587018209fa66fdfb7c7dc72ce540
SHA256060569e43af81d3e4a34c5b363b2b8952f37aa0be32f2e6c35bf7a85452c6cbe
SHA512269cba4790dd2dd53793b21da8456d40828fdf4ba014fc335b795b17bd604b290f9b345aae18323a437cf1c1a64844d74b9a1a655a74c11e063bd58f5fd52950
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\Xplorer.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\Xplorer.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\system\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\system\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
\Windows\system\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
\Windows\system\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
memory/688-85-0x0000000000000000-mapping.dmp
-
memory/764-87-0x0000000000000000-mapping.dmp
-
memory/840-100-0x0000000000000000-mapping.dmp
-
memory/1084-105-0x0000000000000000-mapping.dmp
-
memory/1136-79-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1136-117-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1136-68-0x0000000000000000-mapping.dmp
-
memory/1184-84-0x0000000000000000-mapping.dmp
-
memory/1324-104-0x0000000000000000-mapping.dmp
-
memory/1400-73-0x0000000000000000-mapping.dmp
-
memory/1400-80-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1400-118-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1500-58-0x0000000000000000-mapping.dmp
-
memory/1500-115-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1500-78-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1500-116-0x0000000002510000-0x0000000002520000-memory.dmpFilesize
64KB
-
memory/1588-91-0x0000000000000000-mapping.dmp
-
memory/1592-113-0x000000006C301000-0x000000006C303000-memory.dmpFilesize
8KB
-
memory/1592-108-0x0000000072301000-0x0000000072303000-memory.dmpFilesize
8KB
-
memory/1592-112-0x000000006C9D1000-0x000000006C9D3000-memory.dmpFilesize
8KB
-
memory/1592-110-0x00000000732ED000-0x00000000732F8000-memory.dmpFilesize
44KB
-
memory/1592-109-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1592-82-0x0000000000000000-mapping.dmp
-
memory/1628-102-0x0000000000000000-mapping.dmp
-
memory/1664-92-0x0000000000000000-mapping.dmp
-
memory/1668-88-0x0000000000000000-mapping.dmp
-
memory/1700-99-0x0000000000000000-mapping.dmp
-
memory/1708-81-0x0000000000000000-mapping.dmp
-
memory/1736-55-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1736-114-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1736-76-0x00000000022C0000-0x00000000022D0000-memory.dmpFilesize
64KB
-
memory/1736-77-0x0000000003E40000-0x0000000003ED8000-memory.dmpFilesize
608KB
-
memory/2036-95-0x0000000000000000-mapping.dmp
-
memory/2044-94-0x0000000000000000-mapping.dmp