hxxp://atomailingupdates[.]cc

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://atomailingupdates.cc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
2880	msedge.exe
2880	msedge.exe
3912	identity_helper.exe
3912	identity_helper.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3280	2880	msedge.exe	43
PID 2880 wrote to memory of 3280	2880	msedge.exe	43
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 3304	2880	msedge.exe	88
PID 2880 wrote to memory of 4232	2880	msedge.exe	87
PID 2880 wrote to memory of 4232	2880	msedge.exe	87
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89
PID 2880 wrote to memory of 3992	2880	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://atomailingupdates.cc
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd57146f8,0x7ffcd5714708,0x7ffcd5714718
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7028932969087130605,13461873606468439816,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3112 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ed66df5460d442ff959e3e9c89c8b667

SHA1
e964a400aea24ce4311776182937f95a380f9762

SHA256
0a67b8be7e276337b271ec557518ead10c9582ebb298d5c7b31e6e06ad8754f9

SHA512
c7ada46119292a6e777396c41b28a88c1baa1db4a89805336aac07cc836cca374a9fbaa9662779b108e2608415da9bb21e48aa30d84710fdaf6f10ff46a1fca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
478B

MD5
c46a9fba12e0f9f4536d4d643b5dcb5a

SHA1
5f482a674f9eae35ae0c877bd5270de4f8f07585

SHA256
a11a1e36df0321d2511df999b4d9facbb4b9aaa8adf833b9117a307a0398364f

SHA512
9f4b83e74ef464899682754a5ba51402dbb5b910fb903aead603e8d00520d327f53ae5223148686210b85a0789b54bc64fda7051fba22e6e2a91c13dc63227e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3315c9784631cda3a9eaa8175cbea84a

SHA1
aff26a54de852c4cc51f7f76f82d0b168fddc39d

SHA256
d3ea1cfc63477867a03f02a591212e370e09cff5d96855761aae2f05f1dd937d

SHA512
d7b8fa3b07de3ce3028682d8d525af2c3ee1960b4d35ecbcca703b1b29ba8b6f2b770e43554c3ab8f3ebd0bac6445f64499d01ebe0f26af7e5582132f0f6fdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d08644743d6c0f71912c88dc1b419ba

SHA1
1f157924c0d393007d58cca1db138c5703101327

SHA256
89a72a077832405cc604d6fdf73774a93119c6b46abd8a5f117738178bd62e6b

SHA512
c96557e0280fe2c77fa15cd731161e1c272abe622b0c547d3c8559e20ea79824338d41aac2eeda09391bd21b542e566f1b04d0de50ab16d8601d414f7bbb42d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
844cd6f098748dc6eb79fb5d3a2db3eb

SHA1
51ae1dd868515d6016cd8288271a7ce287784291

SHA256
365bfef3a3f45ab16aee3825ac3ec56910d73f520ec59a99e5cc2c92dd8c6f3b

SHA512
ce9669dafd60d48609caa731b0b787b49079ffedc22e6e4371255b30f4d592d4d31f653470d4547913d19a4ad1b9a5b662e54553280bb6a3df221a6e768e79d5

Download Submit