Overview
overview
10Static
static
7Executable...ce.url
windows10-2004-x64
1Executable...rd.url
windows10-2004-x64
1Executable...on.url
windows10-2004-x64
1Executable...um.url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...te.url
windows10-2004-x64
1Executable...e).url
windows10-2004-x64
1Executable...ub.url
windows10-2004-x64
1Executable...er.cmd
windows10-2004-x64
10Executable...TI.cmd
windows10-2004-x64
1Executable...vc.cmd
windows10-2004-x64
10Executable...ev.cmd
windows10-2004-x64
10Executable...er.exe
windows10-2004-x64
3Executable...ce.exe
windows10-2004-x64
7Executable...P1.cmd
windows10-2004-x64
1Executable...P2.cmd
windows10-2004-x64
1Executable...RS.cmd
windows10-2004-x64
1Executable...OP.cmd
windows10-2004-x64
1Executable...NP.ps1
windows10-2004-x64
1Executables/EDGE.cmd
windows10-2004-x64
1Executable...ZE.cmd
windows10-2004-x64
6Executable...PT.ps1
windows10-2004-x64
1Executables/ONED.cmd
windows10-2004-x64
1Executables/PFP.cmd
windows10-2004-x64
1Executables/POWER.cmd
windows10-2004-x64
1Executable...NU.cmd
windows10-2004-x64
4Executable...TH.cmd
windows10-2004-x64
1Executable...ER.cmd
windows10-2004-x64
4Executable...00.png
windows10-2004-x64
3Executable...rk.png
windows10-2004-x64
3Executable...ht.png
windows10-2004-x64
3playbook.xml
windows10-2004-x64
1Resubmissions
25/04/2023, 20:18
230425-y3j7yscg23 10Analysis
-
max time kernel
485s -
max time network
490s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 20:18
Behavioral task
behavioral1
Sample
Executables/Atlas/4. Troubleshooting/Visual C++ Redistributables/Visual C++ Redistributables AIO Source.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral2
Sample
Executables/Atlas/Atlas Discord.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Executables/Atlas/Atlas Documentation.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
Executables/Atlas/Atlas Forum.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Executables/Atlas/Atlas GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Executables/Atlas/Atlas Website.url
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Executables/AtlasModules/Acknowledgements/Atlas Utilities (filepicker & multichoice).url
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
Executables/AtlasModules/Acknowledgements/setSvc GitHub.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Executables/AtlasModules/Scripts/Auto-Cleaner.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
Executables/AtlasModules/Scripts/RunAsTI.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Executables/AtlasModules/Scripts/setSvc.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
Executables/AtlasModules/Scripts/toggleDev.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Executables/AtlasModules/Tools/filepicker.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
Executables/AtlasModules/Tools/multichoice.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Executables/BACKUP1.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
Executables/BACKUP2.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Executables/CONVERTUSERS.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral18
Sample
Executables/COPYDESKTOP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Executables/DISABLEPNP.ps1
Resource
win10v2004-20230220-en
Behavioral task
behavioral20
Sample
Executables/EDGE.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral21
Sample
Executables/FINALIZE.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
Executables/MITIGATIONPROMPT.ps1
Resource
win10v2004-20230221-en
Behavioral task
behavioral23
Sample
Executables/ONED.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral24
Sample
Executables/PFP.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
Executables/POWER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral26
Sample
Executables/STARTMENU.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
Executables/UPDHEALTH.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
Executables/WALLPAPER.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
Executables/Web/Screen/img100.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral30
Sample
Executables/Web/Wallpaper/Windows/atlas-dark.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
Executables/Web/Wallpaper/Windows/atlas-light.png
Resource
win10v2004-20230220-en
Behavioral task
behavioral32
Sample
playbook.xml
Resource
win10v2004-20230220-en
General
-
Target
Executables/CONVERTUSERS.cmd
-
Size
1KB
-
MD5
c3d6c5fcf9e5b2d38ffb8f9e4edda61e
-
SHA1
275ce13f5ec6137acd09567fca3829b4a553d75f
-
SHA256
dfe4cf6f461658171f5923b7740112aff1130c48189bbbeec1f5d53feb879815
-
SHA512
9092053297a5b6527f9849381a91a4aec5ed460e9dc8e3fe96412bdc990fa1fe40cb2c3617b4a600482c6e2cc6c1b1da28285c041b90c469d8f597f2c90ed993
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4948 powershell.exe 4948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4948 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4304 wrote to memory of 1828 4304 cmd.exe 85 PID 4304 wrote to memory of 1828 4304 cmd.exe 85 PID 1828 wrote to memory of 4948 1828 cmd.exe 86 PID 1828 wrote to memory of 4948 1828 cmd.exe 86 PID 4304 wrote to memory of 1888 4304 cmd.exe 87 PID 4304 wrote to memory of 1888 4304 cmd.exe 87 PID 1888 wrote to memory of 2908 1888 cmd.exe 88 PID 1888 wrote to memory of 2908 1888 cmd.exe 88 PID 1888 wrote to memory of 3128 1888 cmd.exe 89 PID 1888 wrote to memory of 3128 1888 cmd.exe 89 PID 4304 wrote to memory of 1996 4304 cmd.exe 90 PID 4304 wrote to memory of 1996 4304 cmd.exe 90 PID 1996 wrote to memory of 352 1996 cmd.exe 91 PID 1996 wrote to memory of 352 1996 cmd.exe 91 PID 1996 wrote to memory of 4008 1996 cmd.exe 92 PID 1996 wrote to memory of 4008 1996 cmd.exe 92
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\CONVERTUSERS.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c PowerShell -NoP -C "(Get-LocalUser | Where {$_.PrincipalSource -eq 'MicrosoftAccount'}).Name"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoP -C "(Get-LocalUser | Where {$_.PrincipalSource -eq 'MicrosoftAccount'}).Name"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Name2Sid" | findstr /i /c:"Name2Sid"2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Name2Sid"3⤵PID:2908
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"Name2Sid"3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Sid2Name" | findstr /i /c:"Sid2Name"2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Sid2Name"3⤵PID:352
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"Sid2Name"3⤵PID:4008
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82