hxxp://myatoworks[.]info

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://myatoworks.info

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
2640	msedge.exe
2640	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4820	3092	msedge.exe	86
PID 3092 wrote to memory of 4820	3092	msedge.exe	86
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2460	3092	msedge.exe	87
PID 3092 wrote to memory of 2640	3092	msedge.exe	88
PID 3092 wrote to memory of 2640	3092	msedge.exe	88
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89
PID 3092 wrote to memory of 4400	3092	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://myatoworks.info
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe434146f8,0x7ffe43414708,0x7ffe43414718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16752398105355698127,7349558940423161132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4272 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
795f7c9e9843f2d96ce912541c4ebbb3

SHA1
32f34de1433c9122438d1565c8cd7d312daa1897

SHA256
30ddb5cb118b97ece1a82991b6dc09564491b0a08c75953343cc8904f5ee9bd2

SHA512
38b24e1839866fd2af8d6e21cf25557e55fed709015215e68bd044e6c1a793af79a4b91613541341643e8f2b07652f0d987d16bdd63e4a3eea76a54a78e684e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
898B

MD5
fc4ad717e5cc554c01b6227274a7be75

SHA1
37e6fadb9714f4f138b790c28c04186c68af8f0c

SHA256
570250f3da736fe199b527cb5ed7454bfd5e758a14005cefc8706ab362a56cbb

SHA512
c0867cd325bfa42d4a5e5f0a9047eff0c3997c020074cd085da4addac7c91861746d33c52aa08f3f0188c9c313bcfdd46a49a98ad407e0ba9def7ac002b2f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5b58d7352a62df89592a223dbf526db

SHA1
97f034bf1e4f18b248bc2270f1353a3c2b3bbabe

SHA256
4249263132466332001ec45332a1a26c6e3bfd3fa41f6355f94948cedba8d2a4

SHA512
591f70ad7c917dfb9f998d7e24418a6b178cd6098fdf30ce941dc13777d09912d076f76d90078424b1171726c3653e83bbedb71096adac9109938f4d27581360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3852f548be3f941f5279e0d7f79dc0ff

SHA1
dc16b27145463096f1f624f1870d895a131b35b9

SHA256
64d2bf6093521f9d363394b9195d52e33f1502ce14c639dca9f455f1f7c6723f

SHA512
29ed955fb0a455d442d49327c3746e6a2ab58d7d325bf27016863b8ab3a40e8a89e55e8c6b49c4789756902fe968aefe2c39094baae9497ba140bb140fe04b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d9b6b7a5de7b192318b12c1b82832cc7

SHA1
d690d1947986b6da91e60631f383b88a337abd48

SHA256
30b75297e4b4b249fee82993b5d6bb9fdd3b96f5113a67a7f22ae27c739921f6

SHA512
e10e026282db6241ccc8b96a3d23ee4bb582eca6b8c06f333d2bbab98295bbe0f11d44646d07d4e7d72ec8856205b19f97bdf7343d07c8da4b3469ad9b66268f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76e05512a196e68d90fd1802f2e228a8

SHA1
5a15998e24426ef3ec3f7f09593f8a05009189d0

SHA256
c24b3cfb733474f9559ee5e0afac27543b0c7a826c12f8058329b4ec5d1c4dd5

SHA512
d9704166cf685ce6b0a13c160d7f0432eb9c65b4418556afaad4fbe45a54926bdb239aab425d83a47e9c3643976ec91eb2f7de6294e6fae35fd6462b623c0034

Download Submit