Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 16:43

General

  • Target

    31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe

  • Size

    275KB

  • MD5

    0ff2d18f373246c3a611c0996d0452d9

  • SHA1

    b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

  • SHA256

    31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

  • SHA512

    e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

  • SSDEEP

    6144:yniHo6nx2QY7slAFRWNBfrrWK0uTNRiuooqp6pfwWm+gIdJI7l:ySo6xg5kN530xuooqMVwsgN

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
    "C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe"
    1⤵
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      2⤵
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\Xplorer.exe
        "C:\Windows\Xplorer.exe" /Windows
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\System\gHost.exe
          "C:\Windows\System\gHost.exe" /Reproduce
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1280
        • C:\Windows\SysWOW64\KHATRA.exe
          C:\Windows\system32\KHATRA.exe
          4⤵
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C AT /delete /yes
            5⤵
              PID:808
              • C:\Windows\SysWOW64\at.exe
                AT /delete /yes
                6⤵
                  PID:1484
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                5⤵
                  PID:852
                  • C:\Windows\SysWOW64\at.exe
                    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                    6⤵
                      PID:1804
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
                    5⤵
                      PID:1188
                      • C:\Windows\SysWOW64\regsvr32.exe
                        RegSvr32 /S C:\Windows\system32\avphost.dll
                        6⤵
                          PID:996
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                        5⤵
                          PID:1700
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                            6⤵
                            • Modifies Windows Firewall
                            PID:1616
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /C AT /delete /yes
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1740
                      • C:\Windows\SysWOW64\at.exe
                        AT /delete /yes
                        4⤵
                          PID:1960
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1448
                        • C:\Windows\SysWOW64\at.exe
                          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                          4⤵
                            PID:1948
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1728
                          • C:\Windows\SysWOW64\regsvr32.exe
                            RegSvr32 /S C:\Windows\system32\avphost.dll
                            4⤵
                              PID:428
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                            3⤵
                              PID:1860
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                                4⤵
                                • Modifies Windows Firewall
                                PID:1120
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /C AT /delete /yes
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1764
                            • C:\Windows\SysWOW64\at.exe
                              AT /delete /yes
                              3⤵
                                PID:1252
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1396
                              • C:\Windows\SysWOW64\at.exe
                                AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
                                3⤵
                                  PID:1744
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1628
                                • C:\Windows\SysWOW64\regsvr32.exe
                                  RegSvr32 /S C:\Windows\system32\avphost.dll
                                  3⤵
                                    PID:1700
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                                  2⤵
                                    PID:1708
                                    • C:\Windows\SysWOW64\netsh.exe
                                      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
                                      3⤵
                                      • Modifies Windows Firewall
                                      PID:1676
                                • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
                                  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
                                  1⤵
                                  • Accesses Microsoft Outlook profiles
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of SetWindowsHookEx
                                  • outlook_win_path
                                  PID:2036

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\KHATARNAKH.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\Xplorer.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\Xplorer.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\inf\Autoplay.inF

                                  Filesize

                                  234B

                                  MD5

                                  7ae2f1a7ce729d91acfef43516e5a84c

                                  SHA1

                                  ebbc99c7e5ac5679de2881813257576ec980fb44

                                  SHA256

                                  43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

                                  SHA512

                                  915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

                                • C:\Windows\system\gHost.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\Windows\system\gHost.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • C:\\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\SysWOW64\KHATRA.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\system\gHost.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • \Windows\system\gHost.exe

                                  Filesize

                                  275KB

                                  MD5

                                  0ff2d18f373246c3a611c0996d0452d9

                                  SHA1

                                  b0e39cb91ddcd2b87d56122cb243b7e2faae1a18

                                  SHA256

                                  31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799

                                  SHA512

                                  e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b

                                • memory/1148-137-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/1148-138-0x0000000000960000-0x0000000000970000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1148-55-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1148-62-0x0000000000960000-0x0000000000970000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1148-63-0x0000000003B00000-0x0000000003B9C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1280-84-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1280-140-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1456-122-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1456-124-0x0000000000300000-0x0000000000310000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1480-64-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1480-113-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1480-82-0x00000000003F0000-0x0000000000400000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1480-114-0x0000000003E40000-0x0000000003EDC000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1748-83-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1748-121-0x0000000003600000-0x000000000369C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/1748-139-0x0000000000400000-0x000000000049C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/2036-111-0x000000006C831000-0x000000006C833000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/2036-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2036-107-0x0000000072161000-0x0000000072163000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/2036-112-0x000000006C021000-0x000000006C023000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/2036-130-0x000000007314D000-0x0000000073158000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/2036-109-0x000000007314D000-0x0000000073158000-memory.dmp

                                  Filesize

                                  44KB