Overview
overview
10Static
static
7Executable...ce.url
windows10-2004-x64
1Executable...rd.url
windows10-2004-x64
1Executable...on.url
windows10-2004-x64
1Executable...um.url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...te.url
windows10-2004-x64
1Executable...e).url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...er.cmd
windows10-2004-x64
10Executable...TI.cmd
windows10-2004-x64
1Executable...vc.cmd
windows10-2004-x64
10Executable...ev.cmd
windows10-2004-x64
10Executable...er.exe
windows10-2004-x64
3Executable...ce.exe
windows10-2004-x64
7Executable...P1.cmd
windows10-2004-x64
1Executable...P2.cmd
windows10-2004-x64
1Executable...RS.cmd
windows10-2004-x64
1Executable...OP.cmd
windows10-2004-x64
1Executable...NP.ps1
windows10-2004-x64
1Executables/EDGE.cmd
windows10-2004-x64
1Executable...ZE.cmd
windows10-2004-x64
6Executable...PT.ps1
windows10-2004-x64
1Executables/ONED.cmd
windows10-2004-x64
1Executables/PFP.cmd
windows10-2004-x64
1Executables/POWER.cmd
windows10-2004-x64
1Executable...NU.cmd
windows10-2004-x64
4Executable...TH.cmd
windows10-2004-x64
1Executable...ER.cmd
windows10-2004-x64
4Executable...00.png
windows10-2004-x64
3Executable...rk.png
windows10-2004-x64
3Executable...ht.png
windows10-2004-x64
3playbook.xml
windows10-2004-x64
1Resubmissions
25/04/2023, 20:18
230425-y3j7yscg23 10Analysis
-
max time kernel
489s -
max time network
494s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 20:18
Behavioral task
behavioral1
Sample
Executables/Atlas/4. Troubleshooting/Visual C++ Redistributables/Visual C++ Redistributables AIO Source.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral2
Sample
Executables/Atlas/Atlas Discord.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Executables/Atlas/Atlas Documentation.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
Executables/Atlas/Atlas Forum.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Executables/Atlas/Atlas GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Executables/Atlas/Atlas Website.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Executables/AtlasModules/Acknowledgements/Atlas Utilities (filepicker & multichoice).url
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
Executables/AtlasModules/Acknowledgements/setSvc GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Executables/AtlasModules/Scripts/Auto-Cleaner.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
Executables/AtlasModules/Scripts/RunAsTI.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Executables/AtlasModules/Scripts/setSvc.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
Executables/AtlasModules/Scripts/toggleDev.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Executables/AtlasModules/Tools/filepicker.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
Executables/AtlasModules/Tools/multichoice.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Executables/BACKUP1.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
Executables/BACKUP2.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Executables/CONVERTUSERS.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral18
Sample
Executables/COPYDESKTOP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Executables/DISABLEPNP.ps1
Resource
win10v2004-20230220-en
Behavioral task
behavioral20
Sample
Executables/EDGE.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral21
Sample
Executables/FINALIZE.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
Executables/MITIGATIONPROMPT.ps1
Resource
win10v2004-20230221-en
Behavioral task
behavioral23
Sample
Executables/ONED.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral24
Sample
Executables/PFP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
Executables/POWER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral26
Sample
Executables/STARTMENU.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
Executables/UPDHEALTH.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
Executables/WALLPAPER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
Executables/Web/Screen/img100.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral30
Sample
Executables/Web/Wallpaper/Windows/atlas-dark.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
Executables/Web/Wallpaper/Windows/atlas-light.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral32
Sample
playbook.xml
Resource
win10v2004-20230220-en
General
-
Target
Executables/AtlasModules/Scripts/setSvc.cmd
-
Size
2KB
-
MD5
a7d3e4ffbb7206374740a5e348ca2380
-
SHA1
6b15231dbb2444198faf876ce420ebff9961383e
-
SHA256
be86445c1f6e88a1c4a1df2c457ced5157c3d712d176011dfaee662403f70b22
-
SHA512
4183c4c47720232592d0e73fd57373ff7ef69279f93b65cc208db72d89b427435517acbe62ab34005d7de156b172f492cc78437f3a808318f9c3748718b81390
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1224 created 672 1224 powershell.exe 3 -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4924 sc.exe 404 sc.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\.Default" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\S-1-5-21-144354903-2550862337-1367551827-1000" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1452 powershell.exe 1452 powershell.exe 1224 powershell.exe 1224 powershell.exe 1224 powershell.exe 1224 powershell.exe 1872 powershell.exe 1872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 1548 whoami.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 1476 whoami.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 4172 whoami.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeDebugPrivilege 3368 whoami.exe Token: SeSecurityPrivilege 1872 powershell.exe Token: SeTakeOwnershipPrivilege 1872 powershell.exe Token: SeBackupPrivilege 1872 powershell.exe Token: SeRestorePrivilege 1872 powershell.exe Token: SeDebugPrivilege 4592 whoami.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 960 wrote to memory of 1548 960 cmd.exe 84 PID 960 wrote to memory of 1548 960 cmd.exe 84 PID 960 wrote to memory of 2432 960 cmd.exe 85 PID 960 wrote to memory of 2432 960 cmd.exe 85 PID 960 wrote to memory of 1500 960 cmd.exe 86 PID 960 wrote to memory of 1500 960 cmd.exe 86 PID 960 wrote to memory of 1452 960 cmd.exe 87 PID 960 wrote to memory of 1452 960 cmd.exe 87 PID 1452 wrote to memory of 1476 1452 powershell.exe 88 PID 1452 wrote to memory of 1476 1452 powershell.exe 88 PID 1452 wrote to memory of 1224 1452 powershell.exe 89 PID 1452 wrote to memory of 1224 1452 powershell.exe 89 PID 1224 wrote to memory of 4172 1224 powershell.exe 91 PID 1224 wrote to memory of 4172 1224 powershell.exe 91 PID 1224 wrote to memory of 4924 1224 powershell.exe 92 PID 1224 wrote to memory of 4924 1224 powershell.exe 92 PID 1224 wrote to memory of 404 1224 powershell.exe 93 PID 1224 wrote to memory of 404 1224 powershell.exe 93 PID 1224 wrote to memory of 1872 1224 powershell.exe 94 PID 1224 wrote to memory of 1872 1224 powershell.exe 94 PID 1872 wrote to memory of 3368 1872 powershell.exe 96 PID 1872 wrote to memory of 3368 1872 powershell.exe 96 PID 1872 wrote to memory of 5064 1872 powershell.exe 99 PID 1872 wrote to memory of 5064 1872 powershell.exe 99 PID 5064 wrote to memory of 4592 5064 cmd.exe 102 PID 5064 wrote to memory of 4592 5064 cmd.exe 102 PID 5064 wrote to memory of 2608 5064 cmd.exe 101 PID 5064 wrote to memory of 2608 5064 cmd.exe 101
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -win 1 -nop -c iex $env:R; # RunAsTI2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\find.exefind /i "S-1-5-18"4⤵PID:2608
-
-
C:\Windows\system32\whoami.exewhoami /user4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\whoami.exewhoami /user2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\system32\find.exefind /i "S-1-5-18"2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( FOR %I in ("C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd" "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "") do @ echo(%~I )"2⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -Command "$argv = $input | ?{$_}; iex (${C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd} | out-string)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /user3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd'; $arg=''; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-144354903-2550862337-1367551827-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start TrustedInstaller4⤵
- Launches sc.exe
PID:4924
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start lsass4⤵
- Launches sc.exe
PID:404
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5eb4d127b8a6f84a1cee423c5e3e3a51d
SHA1c55263a8ff097067f2393ce2120801a445fd1949
SHA256d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514
SHA51245a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e
-
Filesize
1KB
MD59c3a1483b2d9a9e31f71d9919057469c
SHA180dadf7a991d50c4781317aa8af75d0d9824cee6
SHA256f3c85953c8b8b2baea05749bf784646266fa7f60b886247632fa304e21166ee2
SHA512c28907190c17aa0ad8cd3202a464ef4018f4ba44aceb3dc0a2b3ec0ece3e13d19ca3aab67ec295226d80891fcca6af465a94c8c0fc68f36da7cae11bfa74fd87
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82