Overview
overview
10Static
static
7Executable...ce.url
windows10-2004-x64
1Executable...rd.url
windows10-2004-x64
1Executable...on.url
windows10-2004-x64
1Executable...um.url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...te.url
windows10-2004-x64
1Executable...e).url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...er.cmd
windows10-2004-x64
10Executable...TI.cmd
windows10-2004-x64
1Executable...vc.cmd
windows10-2004-x64
10Executable...ev.cmd
windows10-2004-x64
10Executable...er.exe
windows10-2004-x64
3Executable...ce.exe
windows10-2004-x64
7Executable...P1.cmd
windows10-2004-x64
1Executable...P2.cmd
windows10-2004-x64
1Executable...RS.cmd
windows10-2004-x64
1Executable...OP.cmd
windows10-2004-x64
1Executable...NP.ps1
windows10-2004-x64
1Executables/EDGE.cmd
windows10-2004-x64
1Executable...ZE.cmd
windows10-2004-x64
6Executable...PT.ps1
windows10-2004-x64
1Executables/ONED.cmd
windows10-2004-x64
1Executables/PFP.cmd
windows10-2004-x64
1Executables/POWER.cmd
windows10-2004-x64
1Executable...NU.cmd
windows10-2004-x64
4Executable...TH.cmd
windows10-2004-x64
1Executable...ER.cmd
windows10-2004-x64
4Executable...00.png
windows10-2004-x64
3Executable...rk.png
windows10-2004-x64
3Executable...ht.png
windows10-2004-x64
3playbook.xml
windows10-2004-x64
1Resubmissions
25-04-2023 20:18
230425-y3j7yscg23 10Analysis
-
max time kernel
584s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2023 20:18
Behavioral task
behavioral1
Sample
Executables/Atlas/4. Troubleshooting/Visual C++ Redistributables/Visual C++ Redistributables AIO Source.url
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Executables/Atlas/Atlas Discord.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Executables/Atlas/Atlas Documentation.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Executables/Atlas/Atlas Forum.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Executables/Atlas/Atlas GitHub.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Executables/Atlas/Atlas Website.url
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Executables/AtlasModules/Acknowledgements/Atlas Utilities (filepicker & multichoice).url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Executables/AtlasModules/Acknowledgements/setSvc GitHub.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Executables/AtlasModules/Scripts/Auto-Cleaner.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Executables/AtlasModules/Scripts/RunAsTI.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Executables/AtlasModules/Scripts/setSvc.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Executables/AtlasModules/Scripts/toggleDev.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Executables/AtlasModules/Tools/filepicker.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Executables/AtlasModules/Tools/multichoice.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Executables/BACKUP1.cmd
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Executables/BACKUP2.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Executables/CONVERTUSERS.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Executables/COPYDESKTOP.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Executables/DISABLEPNP.ps1
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Executables/EDGE.cmd
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Executables/FINALIZE.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Executables/MITIGATIONPROMPT.ps1
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Executables/ONED.cmd
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Executables/PFP.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Executables/POWER.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
Executables/STARTMENU.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Executables/UPDHEALTH.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
Executables/WALLPAPER.cmd
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Executables/Web/Screen/img100.png
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Executables/Web/Wallpaper/Windows/atlas-dark.png
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Executables/Web/Wallpaper/Windows/atlas-light.png
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
playbook.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
Executables/AtlasModules/Tools/filepicker.exe
-
Size
145KB
-
MD5
d075ecf7e4ae297b50672c392588e368
-
SHA1
cfc02b6f52bacdd691722ec50456a90b9d2f24f8
-
SHA256
10a9ab81de68a6acebd6e0d393ecc8869a4dae852f78cf9093740ad8752da0de
-
SHA512
8df70762db0a3813ee4b73e77f965ca2a33dc5838fcb30f038ed6e66d0b61c4c3f51a2700dbb8a015f5a7d95951d7aa01e426398c3d284b6f7c89639cf30fb06
-
SSDEEP
3072:Xdd0KiEvENBYIhnGEhekJ5xNTLD5ZhwmR4lgHAp/W:Xdd15EAiGEjJ1TLD5ZhKBF
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 filepicker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 filepicker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings filepicker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ filepicker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff filepicker.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ filepicker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 filepicker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1688 filepicker.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD58fed27e4eafb53ccc761895e8200f081
SHA16f4051303fbe391a8fddc001b2833fa5cdc2d610
SHA2567fc089d03dd7ab3fcee185156c8565ebf8615b55185d5d4f8c5d97fd9e043add
SHA51218d75d17abd4d4bdb6f5a8b56907358f556f844623d0f0980feb3b2940c9a6b6ba086730d304dd97bf2017fd9e4e8616b837c1e3f54aadbaddcf39a3cbd5326b