dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7

General

Target

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
Size

341KB
MD5

13d33a9ff6c77a3b7d08a4557d0a5e67
SHA1

78adf14b76c5f6ed6f94172ae1ea9ff756d65776
SHA256

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7
SHA512

00dcb19ac270b06914c35e38f467bd49d4f3829f74f4d98e1c2af7e6c73e43eff7613127b483653b6d35d2d4aa3ed64a8c0e562a1542786db6493df0faf016b8
SSDEEP

6144:bLwrTiWBUMLRr4ruCg4b4m+HSyD3YxHQnkcJFo9FR0YxlHA/7:bLwrTiqBLR0uFkrW3sHdcJFGFRPHs7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

atitt.exe

pid process

2616 atitt.exe

pid	process
2616	atitt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atitt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	atitt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Atitt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ajyhr\\atitt.exe"	atitt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe

description	pid	process	target process
PID 4996 set thread context of 1784	4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exeatitt.exe

pid	process
4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe
2616	atitt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exeatitt.exe

description	pid	process	target process
PID 4996 wrote to memory of 2616	4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	atitt.exe
PID 4996 wrote to memory of 2616	4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	atitt.exe
PID 4996 wrote to memory of 2616	4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	atitt.exe
PID 2616 wrote to memory of 2372	2616	atitt.exe	sihost.exe
PID 2616 wrote to memory of 2372	2616	atitt.exe	sihost.exe
PID 2616 wrote to memory of 2372	2616	atitt.exe	sihost.exe
PID 2616 wrote to memory of 2372	2616	atitt.exe	sihost.exe
PID 2616 wrote to memory of 2372	2616	atitt.exe	sihost.exe
PID 2616 wrote to memory of 2388	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2388	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2388	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2388	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2388	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2588	2616	atitt.exe	taskhostw.exe
PID 2616 wrote to memory of 2588	2616	atitt.exe	taskhostw.exe
PID 2616 wrote to memory of 2588	2616	atitt.exe	taskhostw.exe
PID 2616 wrote to memory of 2588	2616	atitt.exe	taskhostw.exe
PID 2616 wrote to memory of 2588	2616	atitt.exe	taskhostw.exe
PID 2616 wrote to memory of 2548	2616	atitt.exe	Explorer.EXE
PID 2616 wrote to memory of 2548	2616	atitt.exe	Explorer.EXE
PID 2616 wrote to memory of 2548	2616	atitt.exe	Explorer.EXE
PID 2616 wrote to memory of 2548	2616	atitt.exe	Explorer.EXE
PID 2616 wrote to memory of 2548	2616	atitt.exe	Explorer.EXE
PID 2616 wrote to memory of 2972	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2972	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2972	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2972	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 2972	2616	atitt.exe	svchost.exe
PID 2616 wrote to memory of 3260	2616	atitt.exe	DllHost.exe
PID 2616 wrote to memory of 3260	2616	atitt.exe	DllHost.exe
PID 2616 wrote to memory of 3260	2616	atitt.exe	DllHost.exe
PID 2616 wrote to memory of 3260	2616	atitt.exe	DllHost.exe
PID 2616 wrote to memory of 3260	2616	atitt.exe	DllHost.exe
PID 2616 wrote to memory of 3352	2616	atitt.exe	StartMenuExperienceHost.exe
PID 2616 wrote to memory of 3352	2616	atitt.exe	StartMenuExperienceHost.exe
PID 2616 wrote to memory of 3352	2616	atitt.exe	StartMenuExperienceHost.exe
PID 2616 wrote to memory of 3352	2616	atitt.exe	StartMenuExperienceHost.exe
PID 2616 wrote to memory of 3352	2616	atitt.exe	StartMenuExperienceHost.exe
PID 2616 wrote to memory of 3416	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3416	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3416	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3416	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3416	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3504	2616	atitt.exe	SearchApp.exe
PID 2616 wrote to memory of 3504	2616	atitt.exe	SearchApp.exe
PID 2616 wrote to memory of 3504	2616	atitt.exe	SearchApp.exe
PID 2616 wrote to memory of 3504	2616	atitt.exe	SearchApp.exe
PID 2616 wrote to memory of 3504	2616	atitt.exe	SearchApp.exe
PID 2616 wrote to memory of 3804	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3804	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3804	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3804	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 3804	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4740	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4740	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4740	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4740	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4740	2616	atitt.exe	RuntimeBroker.exe
PID 2616 wrote to memory of 4996	2616	atitt.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 2616 wrote to memory of 4996	2616	atitt.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 2616 wrote to memory of 4996	2616	atitt.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 2616 wrote to memory of 4996	2616	atitt.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 2616 wrote to memory of 4996	2616	atitt.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 4996 wrote to memory of 1784	4996	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
"C:\Users\Admin\AppData\Local\Temp\dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\Ajyhr\atitt.exe
"C:\Users\Admin\AppData\Local\Temp\Ajyhr\atitt.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNV2D51.bat"
2⤵
PID:1784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2548

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ajyhr\atitt.exe

Filesize
341KB

MD5
3f6e7fc0ad17102c23a0afc79f67357b

SHA1
7daae7e773d41ae32260db8d23dbe205e37505c6

SHA256
3224046cc3033985c6696dd5c4b9df827cb699c6f1eb7aed449469bb256fd07c

SHA512
869a46f931ab52543238284a7e05b014cd88430c4a4bdc0603e15709643f1963c1330a528ab691f0d8a3b0fc4b185079020a4994fad7a098bf8b3cb2e4ec8ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajyhr\atitt.exe

Filesize
341KB

MD5
3f6e7fc0ad17102c23a0afc79f67357b

SHA1
7daae7e773d41ae32260db8d23dbe205e37505c6

SHA256
3224046cc3033985c6696dd5c4b9df827cb699c6f1eb7aed449469bb256fd07c

SHA512
869a46f931ab52543238284a7e05b014cd88430c4a4bdc0603e15709643f1963c1330a528ab691f0d8a3b0fc4b185079020a4994fad7a098bf8b3cb2e4ec8ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNV2D51.bat

Filesize
284B

MD5
b626f199a8a9e7adf09e8c7d06434de3

SHA1
00fc213490aaefb6bb29e5c44451452ba3a5e656

SHA256
6c37d97492af379d7728e677780200d98b6c2f5e8583a7c285822001cdd15674

SHA512
14a38da3d2ea3a328d6978cd96034e771c654025c18c20f62610dbf3beb8a52bd577c72ae5834a47f6a240563550a97d1c334edfa3c3c670153df7b668b77dd9

Download Submit
memory/1784-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-156-0x0000000000700000-0x0000000000742000-memory.dmp

Filesize
264KB

Download
memory/1784-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-145-0x0000000000000000-mapping.dmp

Download
memory/1784-146-0x0000000000700000-0x0000000000742000-memory.dmp

Filesize
264KB

Download
memory/1784-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-134-0x0000000000000000-mapping.dmp

Download
memory/4996-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-147-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/4996-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4996-132-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4996-133-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads