a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

Analysis

max time kernel
176s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Size

563KB
MD5

9b23a1427cc20b606775c00ab93ff879
SHA1

ace9b21f8a9331d8de7d7436e120bb8ac6771c0f
SHA256

a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4
SHA512

e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb
SSDEEP

6144:0BaZA6AM5tm1BS4i4jARHKhyFxQZZxbUP10glX1WMYesP9bZGgtCS+in:0cA6SbVi42BFx8dUP1fweshYgtCS+i

Score

9^/10

collection evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000146d2-98.dat	acprotect
behavioral1/files/0x00060000000146d2-99.dat	acprotect
behavioral1/files/0x00060000000146d2-103.dat	acprotect

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe

Executes dropped EXE 3 IoCs

pid	Process
584	KHATRA.exe
1088	Xplorer.exe
1884	gHost.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1588	netsh.exe
268	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000146d2-98.dat	upx
behavioral1/files/0x00060000000146d2-99.dat	upx
behavioral1/files/0x00060000000146d2-103.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1088	Xplorer.exe
1088	Xplorer.exe
1428	regsvr32.exe
1096	regsvr32.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\f:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1868-55-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/584-70-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1088-87-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1884-89-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1868-117-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/584-119-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1088-123-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1884-124-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\avphost.dll	KHATRA.exe
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\KHATRA.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\avphost.dll	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\System\gHost.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File created	C:\Windows\KHATARNAKH.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\Xplorer.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\Xplorer.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\system\gHost.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ = "_OutlookBarPane"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ = "_CalendarSharing"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ = "FormRegionEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\ = "Mail Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ = "_SyncObject"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1\ = "FastSender Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CurVer\ = "AOSMTP.FastSender.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1800	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1088	Xplorer.exe
1884	gHost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Token: SeIncBasePriorityPrivilege	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
Token: 33	584	KHATRA.exe
Token: SeIncBasePriorityPrivilege	584	KHATRA.exe
Token: 33	1088	Xplorer.exe
Token: SeIncBasePriorityPrivilege	1088	Xplorer.exe
Token: 33	1884	gHost.exe
Token: SeIncBasePriorityPrivilege	1884	gHost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
584	KHATRA.exe
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
584	KHATRA.exe
1800	OUTLOOK.EXE
1800	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1800	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 584	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	28
PID 1868 wrote to memory of 584	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	28
PID 1868 wrote to memory of 584	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	28
PID 1868 wrote to memory of 584	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	28
PID 584 wrote to memory of 1088	584	KHATRA.exe	29
PID 584 wrote to memory of 1088	584	KHATRA.exe	29
PID 584 wrote to memory of 1088	584	KHATRA.exe	29
PID 584 wrote to memory of 1088	584	KHATRA.exe	29
PID 1088 wrote to memory of 1884	1088	Xplorer.exe	30
PID 1088 wrote to memory of 1884	1088	Xplorer.exe	30
PID 1088 wrote to memory of 1884	1088	Xplorer.exe	30
PID 1088 wrote to memory of 1884	1088	Xplorer.exe	30
PID 1868 wrote to memory of 1484	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	31
PID 1868 wrote to memory of 1484	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	31
PID 1868 wrote to memory of 1484	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	31
PID 1868 wrote to memory of 1484	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	31
PID 1484 wrote to memory of 968	1484	cmd.exe	33
PID 1484 wrote to memory of 968	1484	cmd.exe	33
PID 1484 wrote to memory of 968	1484	cmd.exe	33
PID 1484 wrote to memory of 968	1484	cmd.exe	33
PID 584 wrote to memory of 1660	584	KHATRA.exe	34
PID 584 wrote to memory of 1660	584	KHATRA.exe	34
PID 584 wrote to memory of 1660	584	KHATRA.exe	34
PID 584 wrote to memory of 1660	584	KHATRA.exe	34
PID 1660 wrote to memory of 1100	1660	cmd.exe	36
PID 1660 wrote to memory of 1100	1660	cmd.exe	36
PID 1660 wrote to memory of 1100	1660	cmd.exe	36
PID 1660 wrote to memory of 1100	1660	cmd.exe	36
PID 1868 wrote to memory of 1692	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	42
PID 1868 wrote to memory of 1692	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	42
PID 1868 wrote to memory of 1692	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	42
PID 1868 wrote to memory of 1692	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	42
PID 584 wrote to memory of 1540	584	KHATRA.exe	37
PID 584 wrote to memory of 1540	584	KHATRA.exe	37
PID 584 wrote to memory of 1540	584	KHATRA.exe	37
PID 584 wrote to memory of 1540	584	KHATRA.exe	37
PID 1540 wrote to memory of 1744	1540	cmd.exe	40
PID 1540 wrote to memory of 1744	1540	cmd.exe	40
PID 1540 wrote to memory of 1744	1540	cmd.exe	40
PID 1540 wrote to memory of 1744	1540	cmd.exe	40
PID 1692 wrote to memory of 816	1692	cmd.exe	41
PID 1692 wrote to memory of 816	1692	cmd.exe	41
PID 1692 wrote to memory of 816	1692	cmd.exe	41
PID 1692 wrote to memory of 816	1692	cmd.exe	41
PID 584 wrote to memory of 1008	584	KHATRA.exe	43
PID 584 wrote to memory of 1008	584	KHATRA.exe	43
PID 584 wrote to memory of 1008	584	KHATRA.exe	43
PID 584 wrote to memory of 1008	584	KHATRA.exe	43
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1008 wrote to memory of 1428	1008	cmd.exe	45
PID 1868 wrote to memory of 1732	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	46
PID 1868 wrote to memory of 1732	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	46
PID 1868 wrote to memory of 1732	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	46
PID 1868 wrote to memory of 1732	1868	a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe	46
PID 1732 wrote to memory of 1096	1732	cmd.exe	48
PID 1732 wrote to memory of 1096	1732	cmd.exe	48
PID 1732 wrote to memory of 1096	1732	cmd.exe	48
PID 1732 wrote to memory of 1096	1732	cmd.exe	48
PID 1732 wrote to memory of 1096	1732	cmd.exe	48

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe
"C:\Users\Admin\AppData\Local\Temp\a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:268

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:816

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\KHATARNAKH.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
C:\Windows\Xplorer.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\Xplorer.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\system\gHost.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\Windows\system\gHost.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
C:\\KHATRA.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
\Windows\system\gHost.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
\Windows\system\gHost.exe

Filesize
563KB

MD5
9b23a1427cc20b606775c00ab93ff879

SHA1
ace9b21f8a9331d8de7d7436e120bb8ac6771c0f

SHA256
a45a34c1c2e33bc8a37e010a7c277412bf4c9d1b40beab80d47c4b04f6505de4

SHA512
e0320f978a79aeb86760919dbd7b0b64503d16b802522675d6dac8aa1a407cc6e6e66005b0db582aae0aa4c142f508d2f5d9c64be119fa7db89fa18bf3c7c5bb

Download Submit
memory/584-85-0x0000000003C60000-0x0000000003D5C000-memory.dmp

Filesize
1008KB

Download
memory/584-120-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/584-121-0x0000000003C60000-0x0000000003D5C000-memory.dmp

Filesize
1008KB

Download
memory/584-122-0x0000000003C60000-0x0000000003D5C000-memory.dmp

Filesize
1008KB

Download
memory/584-119-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/584-70-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1088-123-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1088-87-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1800-110-0x00000000724D1000-0x00000000724D3000-memory.dmp

Filesize
8KB

Download
memory/1800-116-0x00000000734BD000-0x00000000734C8000-memory.dmp

Filesize
44KB

Download
memory/1800-115-0x000000006C4D1000-0x000000006C4D3000-memory.dmp

Filesize
8KB

Download
memory/1800-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-112-0x00000000734BD000-0x00000000734C8000-memory.dmp

Filesize
44KB

Download
memory/1800-114-0x000000006CBA1000-0x000000006CBA3000-memory.dmp

Filesize
8KB

Download
memory/1868-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1868-117-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1868-118-0x00000000040B0000-0x0000000004171000-memory.dmp

Filesize
772KB

Download
memory/1868-69-0x00000000040B0000-0x00000000041AC000-memory.dmp

Filesize
1008KB

Download
memory/1868-56-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1868-55-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1884-89-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1884-124-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download