Overview
overview
10Static
static
7Executable...ce.url
windows10-2004-x64
1Executable...rd.url
windows10-2004-x64
1Executable...on.url
windows10-2004-x64
1Executable...um.url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...te.url
windows10-2004-x64
1Executable...e).url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...er.cmd
windows10-2004-x64
10Executable...TI.cmd
windows10-2004-x64
1Executable...vc.cmd
windows10-2004-x64
10Executable...ev.cmd
windows10-2004-x64
10Executable...er.exe
windows10-2004-x64
3Executable...ce.exe
windows10-2004-x64
7Executable...P1.cmd
windows10-2004-x64
1Executable...P2.cmd
windows10-2004-x64
1Executable...RS.cmd
windows10-2004-x64
1Executable...OP.cmd
windows10-2004-x64
1Executable...NP.ps1
windows10-2004-x64
1Executables/EDGE.cmd
windows10-2004-x64
1Executable...ZE.cmd
windows10-2004-x64
6Executable...PT.ps1
windows10-2004-x64
1Executables/ONED.cmd
windows10-2004-x64
1Executables/PFP.cmd
windows10-2004-x64
1Executables/POWER.cmd
windows10-2004-x64
1Executable...NU.cmd
windows10-2004-x64
4Executable...TH.cmd
windows10-2004-x64
1Executable...ER.cmd
windows10-2004-x64
4Executable...00.png
windows10-2004-x64
3Executable...rk.png
windows10-2004-x64
3Executable...ht.png
windows10-2004-x64
3playbook.xml
windows10-2004-x64
1Resubmissions
25/04/2023, 20:18
230425-y3j7yscg23 10Analysis
-
max time kernel
505s -
max time network
509s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 20:18
Behavioral task
behavioral1
Sample
Executables/Atlas/4. Troubleshooting/Visual C++ Redistributables/Visual C++ Redistributables AIO Source.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral2
Sample
Executables/Atlas/Atlas Discord.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Executables/Atlas/Atlas Documentation.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
Executables/Atlas/Atlas Forum.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Executables/Atlas/Atlas GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Executables/Atlas/Atlas Website.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Executables/AtlasModules/Acknowledgements/Atlas Utilities (filepicker & multichoice).url
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
Executables/AtlasModules/Acknowledgements/setSvc GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Executables/AtlasModules/Scripts/Auto-Cleaner.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
Executables/AtlasModules/Scripts/RunAsTI.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Executables/AtlasModules/Scripts/setSvc.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
Executables/AtlasModules/Scripts/toggleDev.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Executables/AtlasModules/Tools/filepicker.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
Executables/AtlasModules/Tools/multichoice.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Executables/BACKUP1.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
Executables/BACKUP2.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Executables/CONVERTUSERS.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral18
Sample
Executables/COPYDESKTOP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Executables/DISABLEPNP.ps1
Resource
win10v2004-20230220-en
Behavioral task
behavioral20
Sample
Executables/EDGE.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral21
Sample
Executables/FINALIZE.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
Executables/MITIGATIONPROMPT.ps1
Resource
win10v2004-20230221-en
Behavioral task
behavioral23
Sample
Executables/ONED.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral24
Sample
Executables/PFP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
Executables/POWER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral26
Sample
Executables/STARTMENU.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
Executables/UPDHEALTH.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
Executables/WALLPAPER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
Executables/Web/Screen/img100.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral30
Sample
Executables/Web/Wallpaper/Windows/atlas-dark.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
Executables/Web/Wallpaper/Windows/atlas-light.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral32
Sample
playbook.xml
Resource
win10v2004-20230220-en
General
-
Target
Executables/AtlasModules/Scripts/toggleDev.cmd
-
Size
2KB
-
MD5
0fc5e92349540a7b7b27e7789bead68b
-
SHA1
47ee8a756177cea917ebf48b310f37d5d731a5a1
-
SHA256
0907166805d83bde4d169ead6641a3f82c5c6a694d158455f1bb1471a5d33a24
-
SHA512
5989bd61248920b57bb106615c39b44cb0a47400a44001beea078d2d56d7892ccb198e8a5c2311e802b4b3103e7c48d40d0a91fbfe4d41fc81ac966aed017f5c
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1796 created 660 1796 powershell.exe 7 -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2672 sc.exe 1776 sc.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\S-1-5-21-1013461898-3711306144-4198452673-1000" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\.Default" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 552 powershell.exe 552 powershell.exe 1796 powershell.exe 1796 powershell.exe 1796 powershell.exe 1796 powershell.exe 1908 powershell.exe 1908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4168 whoami.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 3024 whoami.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 2368 whoami.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeDebugPrivilege 1000 whoami.exe Token: SeSecurityPrivilege 1908 powershell.exe Token: SeTakeOwnershipPrivilege 1908 powershell.exe Token: SeBackupPrivilege 1908 powershell.exe Token: SeRestorePrivilege 1908 powershell.exe Token: SeDebugPrivilege 4360 whoami.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4168 4432 cmd.exe 85 PID 4432 wrote to memory of 4168 4432 cmd.exe 85 PID 4432 wrote to memory of 4756 4432 cmd.exe 86 PID 4432 wrote to memory of 4756 4432 cmd.exe 86 PID 4432 wrote to memory of 4172 4432 cmd.exe 88 PID 4432 wrote to memory of 4172 4432 cmd.exe 88 PID 4432 wrote to memory of 552 4432 cmd.exe 87 PID 4432 wrote to memory of 552 4432 cmd.exe 87 PID 552 wrote to memory of 3024 552 powershell.exe 89 PID 552 wrote to memory of 3024 552 powershell.exe 89 PID 552 wrote to memory of 1796 552 powershell.exe 90 PID 552 wrote to memory of 1796 552 powershell.exe 90 PID 1796 wrote to memory of 2368 1796 powershell.exe 92 PID 1796 wrote to memory of 2368 1796 powershell.exe 92 PID 1796 wrote to memory of 2672 1796 powershell.exe 93 PID 1796 wrote to memory of 2672 1796 powershell.exe 93 PID 1796 wrote to memory of 1776 1796 powershell.exe 94 PID 1796 wrote to memory of 1776 1796 powershell.exe 94 PID 1796 wrote to memory of 1908 1796 powershell.exe 96 PID 1796 wrote to memory of 1908 1796 powershell.exe 96 PID 1908 wrote to memory of 1000 1908 powershell.exe 97 PID 1908 wrote to memory of 1000 1908 powershell.exe 97 PID 1908 wrote to memory of 2096 1908 powershell.exe 98 PID 1908 wrote to memory of 2096 1908 powershell.exe 98 PID 2096 wrote to memory of 4360 2096 cmd.exe 101 PID 2096 wrote to memory of 4360 2096 cmd.exe 101 PID 2096 wrote to memory of 2872 2096 cmd.exe 100 PID 2096 wrote to memory of 2872 2096 cmd.exe 100
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -win 1 -nop -c iex $env:R; # RunAsTI2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\toggleDev.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\find.exefind /i "S-1-5-18"4⤵PID:2872
-
-
C:\Windows\system32\whoami.exewhoami /user4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\toggleDev.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\whoami.exewhoami /user2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\find.exefind /i "S-1-5-18"2⤵PID:4756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -Command "$argv = $input | ?{$_}; iex (${C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd} | out-string)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /user3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\toggleDev.cmd'; $arg=''; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-1013461898-3711306144-4198452673-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start TrustedInstaller4⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start lsass4⤵
- Launches sc.exe
PID:1776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( FOR %I in ("C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd" "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\toggleDev.cmd" "") do @ echo(%~I )"2⤵PID:4172
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5b90efd974eddd9f07d74e6daa9285779
SHA1eab0a1356a4bbd54f8d2f0d1b1373c5ec5dcb3bb
SHA256b525be72aa216eb30620c35eb5bb4dd6f40e2a05998d7886a0a86c1b3ca05272
SHA512d7c27366fd984c10d99a51d48944ebf4525b95a201705169ecf5242a802669eb9964fc2afefb1eaae8c91cda265d4e5e508a71697eb9e807160a6097e00e53ff
-
Filesize
1KB
MD58f8975f905fea12e03eb6c147ddb4059
SHA134953a9f7f10163134b34f267852822e28abf117
SHA2567cb219dbf6948d2be10410dfa4bb7dae9f16e4736dd9bd9e899679c8e7148131
SHA512da4e9adf77d3cc15851b05abac127d25eca31b1c12b425e231117520062422cdf8ea678a5d08a43a909d81e1573e43778c85bd4ce47181f4f0c1e310e8957f86
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82