786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a636c5f728170139fab3c2f91cd38a.exe
Size

566KB
MD5

87a636c5f728170139fab3c2f91cd38a
SHA1

e8255d77f18ac941d669cadf6e038596db1a52c1
SHA256

786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8
SHA512

de0573dbb2d188d895dc6bdceceef2cce6c9bb3543da6e4432511c196f2ab31ee3cf408e0990cd86eb951679c7c17801deed4c3f3ad9abe946b128878d5bb95d
SSDEEP

6144:R7CI1sOm/IuoBXzlII3h/qXzMyM0mfAoSOoqk6pfwWm+g:Fm/NoBXzlB3h/qXLXHoSOoqDVwsg

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	87a636c5f728170139fab3c2f91cd38a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2028	netsh.exe
1020	netsh.exe
2724	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2788	KHATRA.exe
2900	Xplorer.exe
3048	gHost.exe
1224	KHATRA.exe

Loads dropped DLL 6 IoCs

pid	Process
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2900	Xplorer.exe
2900	Xplorer.exe
2900	Xplorer.exe
2900	Xplorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe"	KHATRA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	87a636c5f728170139fab3c2f91cd38a.exe

AutoIT Executable 34 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2900-51-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2124-196-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2788-197-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2788-198-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-201-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-205-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/1224-208-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-223-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-224-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/1224-225-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-228-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-229-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-232-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-233-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-237-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-238-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-242-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-243-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-248-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-249-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-252-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-253-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-256-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-257-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-260-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-261-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-264-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-265-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-268-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-269-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-272-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-273-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/2900-276-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral1/memory/3048-277-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\KHATRA.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Xplorer.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\System\gHost.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\KHATARNAKH.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Autoplay.inF	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\system\gHost.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	87a636c5f728170139fab3c2f91cd38a.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	87a636c5f728170139fab3c2f91cd38a.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\ = "ApplicationEvents_11"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ = "PropertyPageSite"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ = "_TaskRequestUpdateItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ = "FormRegionEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1684	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe
2124	87a636c5f728170139fab3c2f91cd38a.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2900	Xplorer.exe
3048	gHost.exe
1684	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2124	87a636c5f728170139fab3c2f91cd38a.exe
2788	KHATRA.exe
1684	OUTLOOK.EXE
1684	OUTLOOK.EXE
1684	OUTLOOK.EXE
1224	KHATRA.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2124	87a636c5f728170139fab3c2f91cd38a.exe
2788	KHATRA.exe
1684	OUTLOOK.EXE
1684	OUTLOOK.EXE
1224	KHATRA.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1684	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2788	2124	87a636c5f728170139fab3c2f91cd38a.exe	28
PID 2124 wrote to memory of 2788	2124	87a636c5f728170139fab3c2f91cd38a.exe	28
PID 2124 wrote to memory of 2788	2124	87a636c5f728170139fab3c2f91cd38a.exe	28
PID 2124 wrote to memory of 2788	2124	87a636c5f728170139fab3c2f91cd38a.exe	28
PID 2788 wrote to memory of 2900	2788	KHATRA.exe	29
PID 2788 wrote to memory of 2900	2788	KHATRA.exe	29
PID 2788 wrote to memory of 2900	2788	KHATRA.exe	29
PID 2788 wrote to memory of 2900	2788	KHATRA.exe	29
PID 2900 wrote to memory of 3048	2900	Xplorer.exe	30
PID 2900 wrote to memory of 3048	2900	Xplorer.exe	30
PID 2900 wrote to memory of 3048	2900	Xplorer.exe	30
PID 2900 wrote to memory of 3048	2900	Xplorer.exe	30
PID 2124 wrote to memory of 2588	2124	87a636c5f728170139fab3c2f91cd38a.exe	32
PID 2124 wrote to memory of 2588	2124	87a636c5f728170139fab3c2f91cd38a.exe	32
PID 2124 wrote to memory of 2588	2124	87a636c5f728170139fab3c2f91cd38a.exe	32
PID 2124 wrote to memory of 2588	2124	87a636c5f728170139fab3c2f91cd38a.exe	32
PID 2588 wrote to memory of 2652	2588	cmd.exe	33
PID 2588 wrote to memory of 2652	2588	cmd.exe	33
PID 2588 wrote to memory of 2652	2588	cmd.exe	33
PID 2588 wrote to memory of 2652	2588	cmd.exe	33
PID 2124 wrote to memory of 3016	2124	87a636c5f728170139fab3c2f91cd38a.exe	34
PID 2124 wrote to memory of 3016	2124	87a636c5f728170139fab3c2f91cd38a.exe	34
PID 2124 wrote to memory of 3016	2124	87a636c5f728170139fab3c2f91cd38a.exe	34
PID 2124 wrote to memory of 3016	2124	87a636c5f728170139fab3c2f91cd38a.exe	34
PID 3016 wrote to memory of 2448	3016	cmd.exe	36
PID 3016 wrote to memory of 2448	3016	cmd.exe	36
PID 3016 wrote to memory of 2448	3016	cmd.exe	36
PID 3016 wrote to memory of 2448	3016	cmd.exe	36
PID 2788 wrote to memory of 268	2788	KHATRA.exe	37
PID 2788 wrote to memory of 268	2788	KHATRA.exe	37
PID 2788 wrote to memory of 268	2788	KHATRA.exe	37
PID 2788 wrote to memory of 268	2788	KHATRA.exe	37
PID 268 wrote to memory of 2644	268	cmd.exe	39
PID 268 wrote to memory of 2644	268	cmd.exe	39
PID 268 wrote to memory of 2644	268	cmd.exe	39
PID 268 wrote to memory of 2644	268	cmd.exe	39
PID 2788 wrote to memory of 2892	2788	KHATRA.exe	40
PID 2788 wrote to memory of 2892	2788	KHATRA.exe	40
PID 2788 wrote to memory of 2892	2788	KHATRA.exe	40
PID 2788 wrote to memory of 2892	2788	KHATRA.exe	40
PID 2892 wrote to memory of 676	2892	cmd.exe	42
PID 2892 wrote to memory of 676	2892	cmd.exe	42
PID 2892 wrote to memory of 676	2892	cmd.exe	42
PID 2892 wrote to memory of 676	2892	cmd.exe	42
PID 2124 wrote to memory of 2004	2124	87a636c5f728170139fab3c2f91cd38a.exe	43
PID 2124 wrote to memory of 2004	2124	87a636c5f728170139fab3c2f91cd38a.exe	43
PID 2124 wrote to memory of 2004	2124	87a636c5f728170139fab3c2f91cd38a.exe	43
PID 2124 wrote to memory of 2004	2124	87a636c5f728170139fab3c2f91cd38a.exe	43
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2004 wrote to memory of 1092	2004	cmd.exe	45
PID 2788 wrote to memory of 1936	2788	KHATRA.exe	46
PID 2788 wrote to memory of 1936	2788	KHATRA.exe	46
PID 2788 wrote to memory of 1936	2788	KHATRA.exe	46
PID 2788 wrote to memory of 1936	2788	KHATRA.exe	46
PID 1936 wrote to memory of 1868	1936	cmd.exe	48
PID 1936 wrote to memory of 1868	1936	cmd.exe	48
PID 1936 wrote to memory of 1868	1936	cmd.exe	48
PID 1936 wrote to memory of 1868	1936	cmd.exe	48
PID 1936 wrote to memory of 1868	1936	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\87a636c5f728170139fab3c2f91cd38a.exe
"C:\Users\Admin\AppData\Local\Temp\87a636c5f728170139fab3c2f91cd38a.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      PID:3048
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2868
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:2028

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
2382c079abdaa13a3a4216bbd807af01

SHA1
427b516510684ed2795ec695eb0096c885914ddd

SHA256
5cdcb1f3699e6771a4bcec4264e16acbbc230a6b9536aa50e52e4d2614753114

SHA512
722b47168c40b4eee81c2b978b1567f4169c6741318f627d9ecc77d1d2af3122d7866fec38e7ac1a4c91432dd0929ac1a26795d51cef3b191ed1df546168ea32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c576b8cfbe6b74690a1d0f58266e6673

SHA1
6af2f845bd575dcea154949b0dc1bd3277629d47

SHA256
8b0b7988b1af44ee783784fc569396752843b145eff882c667ee162a43a45542

SHA512
b833398bafdfc281cddf723082222e059d7106fdb2022cff1563dfd1bc61f721344b9184e4b14e37f788309444ccb2345fc95bf6e9242686e776e75a910a150f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
566KB

MD5
87a636c5f728170139fab3c2f91cd38a

SHA1
e8255d77f18ac941d669cadf6e038596db1a52c1

SHA256
786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8

SHA512
de0573dbb2d188d895dc6bdceceef2cce6c9bb3543da6e4432511c196f2ab31ee3cf408e0990cd86eb951679c7c17801deed4c3f3ad9abe946b128878d5bb95d

Download Submit
C:\Windows\Xplorer.exe

Filesize
534KB

MD5
d104928efabc0f3189feb0e27e5d7c7e

SHA1
f622369426f5ba3f3e017ad253a9893e7d3d380e

SHA256
bd5b8f3667c9fdc72acaa2e201dbd8121fd03db8f76b87aa7064317977fd41ae

SHA512
c1bf03c4dbecae63436db4b74a5be29f4313c35d6bec9a550d7c90dbf8a5b505bd01968b1763a3d49d80bd09cee3dd210807bbee14ffda5f9ab6d03cce870278

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\system\gHost.exe

Filesize
165KB

MD5
23d60ef8e7621f125908ac383bac7196

SHA1
bf3185d0b18bc1f51f97701ebbd7369ed8fd751b

SHA256
c5fe0e9a30de76c529e8858198dbd73255bf90e740396da58d29595a3ab018d3

SHA512
48146db6b29ccf85840245c9be74a84f924d632365c669272bf442da6099a46af175a96581d3dff3836dc3b19db7a8d6f1beb615e6a744d86eb2fd7889ff8c70

Download Submit
\Windows\system\gHost.exe

Filesize
301KB

MD5
05495c71f4ed985606414ba00ca95e11

SHA1
9a9f27690b5623212b20e94b8bb1f4b62c5cd869

SHA256
3223c405a69c70bbc054b9edd574e533bb29725c559a5b459de3adc4dd4564d8

SHA512
18bed063010094ac77ff8f8bdd8a13be2e97300d9b57614a7d8f6f71805445c41640be37e4d79c703950b7a21e52b3247d0fd31d65ce8b2f8248ef2853ad2e35

Download Submit
\Windows\system\gHost.exe

Filesize
186KB

MD5
0b627f1e1dd8eaa311f48c5232250915

SHA1
3e142b82ae87cbb95852bf4ae5f6efd63a6a2df0

SHA256
d91c9c156f379377e80d3da36ae31546fe7ad050492c959b6c5d6b14acceabf6

SHA512
b4c89ea59826d8510f3b58343b0297b59c4456e82387b274c64ca2bf1778ed29224f6e41f4b91e542cbe88ba997d60874c7fc7eb804029c7e60f9a73f10b6e40

Download Submit
memory/1224-225-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1224-208-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1684-170-0x00000000736C1000-0x00000000736C2000-memory.dmp

Filesize
4KB

Download
memory/1684-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1684-226-0x000000007306D000-0x0000000073078000-memory.dmp

Filesize
44KB

Download
memory/1684-70-0x000000007306D000-0x0000000073078000-memory.dmp

Filesize
44KB

Download
memory/2124-24-0x00000000040F0000-0x00000000041D3000-memory.dmp

Filesize
908KB

Download
memory/2124-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2124-5-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2124-196-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2788-36-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2788-31-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2788-50-0x00000000040E0000-0x00000000041C3000-memory.dmp

Filesize
908KB

Download
memory/2788-197-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2788-198-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2788-199-0x00000000040E0000-0x00000000041A1000-memory.dmp

Filesize
772KB

Download
memory/2900-207-0x0000000003880000-0x0000000003963000-memory.dmp

Filesize
908KB

Download
memory/2900-248-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-206-0x0000000003880000-0x0000000003963000-memory.dmp

Filesize
908KB

Download
memory/2900-201-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-276-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-223-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-272-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-55-0x0000000003880000-0x0000000003963000-memory.dmp

Filesize
908KB

Download
memory/2900-51-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-228-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-268-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-232-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-264-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-237-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-260-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-242-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-256-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2900-252-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-261-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-265-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-253-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-243-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-257-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-238-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-205-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-233-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-249-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-229-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-269-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-224-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-273-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-56-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3048-277-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download