Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 16:43
Static task
static1
Behavioral task
behavioral1
Sample
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
Resource
win10v2004-20220901-en
General
-
Target
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
-
Size
275KB
-
MD5
0ff2d18f373246c3a611c0996d0452d9
-
SHA1
b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
-
SHA256
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
-
SHA512
e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
SSDEEP
6144:yniHo6nx2QY7slAFRWNBfrrWK0uTNRiuooqp6pfwWm+gIdJI7l:ySo6xg5kN530xuooqMVwsgN
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 4 IoCs
pid Process 1480 KHATRA.exe 1748 Xplorer.exe 1280 gHost.exe 1456 KHATRA.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
pid Process 1120 netsh.exe 1676 netsh.exe 1616 netsh.exe -
Loads dropped DLL 6 IoCs
pid Process 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1748 Xplorer.exe 1748 Xplorer.exe 1748 Xplorer.exe 1748 Xplorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" KHATRA.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\z: gHost.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1148-55-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1480-64-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1748-83-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1280-84-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1480-113-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1456-122-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1148-137-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1748-139-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral1/memory/1280-140-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KHATRA.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE -
Drops file in Windows directory 18 IoCs
description ioc Process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\system\gHost.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\inf\Autoplay.inF 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File created C:\Windows\System\gHost.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File created C:\Windows\KHATARNAKH.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\Xplorer.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ = "_TaskRequestItem" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ = "_FormRegionStartup" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ = "_OlkSenderPhoto" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046} OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2036 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1748 Xplorer.exe 1280 gHost.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1480 KHATRA.exe 2036 OUTLOOK.EXE 2036 OUTLOOK.EXE 2036 OUTLOOK.EXE 1456 KHATRA.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1480 KHATRA.exe 2036 OUTLOOK.EXE 2036 OUTLOOK.EXE 1456 KHATRA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2036 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1480 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 27 PID 1148 wrote to memory of 1480 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 27 PID 1148 wrote to memory of 1480 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 27 PID 1148 wrote to memory of 1480 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 27 PID 1480 wrote to memory of 1748 1480 KHATRA.exe 28 PID 1480 wrote to memory of 1748 1480 KHATRA.exe 28 PID 1480 wrote to memory of 1748 1480 KHATRA.exe 28 PID 1480 wrote to memory of 1748 1480 KHATRA.exe 28 PID 1748 wrote to memory of 1280 1748 Xplorer.exe 29 PID 1748 wrote to memory of 1280 1748 Xplorer.exe 29 PID 1748 wrote to memory of 1280 1748 Xplorer.exe 29 PID 1748 wrote to memory of 1280 1748 Xplorer.exe 29 PID 1148 wrote to memory of 1764 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 30 PID 1148 wrote to memory of 1764 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 30 PID 1148 wrote to memory of 1764 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 30 PID 1148 wrote to memory of 1764 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 30 PID 1764 wrote to memory of 1252 1764 cmd.exe 32 PID 1764 wrote to memory of 1252 1764 cmd.exe 32 PID 1764 wrote to memory of 1252 1764 cmd.exe 32 PID 1764 wrote to memory of 1252 1764 cmd.exe 32 PID 1148 wrote to memory of 1396 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 33 PID 1148 wrote to memory of 1396 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 33 PID 1148 wrote to memory of 1396 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 33 PID 1148 wrote to memory of 1396 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 33 PID 1396 wrote to memory of 1744 1396 cmd.exe 35 PID 1396 wrote to memory of 1744 1396 cmd.exe 35 PID 1396 wrote to memory of 1744 1396 cmd.exe 35 PID 1396 wrote to memory of 1744 1396 cmd.exe 35 PID 1480 wrote to memory of 1740 1480 KHATRA.exe 36 PID 1480 wrote to memory of 1740 1480 KHATRA.exe 36 PID 1480 wrote to memory of 1740 1480 KHATRA.exe 36 PID 1480 wrote to memory of 1740 1480 KHATRA.exe 36 PID 1740 wrote to memory of 1960 1740 cmd.exe 38 PID 1740 wrote to memory of 1960 1740 cmd.exe 38 PID 1740 wrote to memory of 1960 1740 cmd.exe 38 PID 1740 wrote to memory of 1960 1740 cmd.exe 38 PID 1480 wrote to memory of 1448 1480 KHATRA.exe 39 PID 1480 wrote to memory of 1448 1480 KHATRA.exe 39 PID 1480 wrote to memory of 1448 1480 KHATRA.exe 39 PID 1480 wrote to memory of 1448 1480 KHATRA.exe 39 PID 1448 wrote to memory of 1948 1448 cmd.exe 41 PID 1448 wrote to memory of 1948 1448 cmd.exe 41 PID 1448 wrote to memory of 1948 1448 cmd.exe 41 PID 1448 wrote to memory of 1948 1448 cmd.exe 41 PID 1148 wrote to memory of 1628 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 42 PID 1148 wrote to memory of 1628 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 42 PID 1148 wrote to memory of 1628 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 42 PID 1148 wrote to memory of 1628 1148 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 42 PID 1480 wrote to memory of 1728 1480 KHATRA.exe 43 PID 1480 wrote to memory of 1728 1480 KHATRA.exe 43 PID 1480 wrote to memory of 1728 1480 KHATRA.exe 43 PID 1480 wrote to memory of 1728 1480 KHATRA.exe 43 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1728 wrote to memory of 428 1728 cmd.exe 47 PID 1628 wrote to memory of 1700 1628 cmd.exe 46 PID 1628 wrote to memory of 1700 1628 cmd.exe 46 PID 1628 wrote to memory of 1700 1628 cmd.exe 46 PID 1628 wrote to memory of 1700 1628 cmd.exe 46 PID 1628 wrote to memory of 1700 1628 cmd.exe 46 -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe"C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:1280
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:808
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:852
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:1188
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1700
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:1616
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵PID:1860
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
PID:1120
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵PID:1708
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
PID:1676
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b