10d7fbe8cbea8898eee9f5b24e927818feb24c863f3e7ba5779beb28f5168094

Analysis

max time kernel
161s
max time network
172s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
12/06/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Atmospheres.exe
Size

36.3MB
MD5

f79184cae08a51e18b6d1786c3d26186
SHA1

ed2ceac734cf66afc2ce601db727f849b0d889e9
SHA256

768a7cc235b3554700baa0da43b77244107e4491dbda29624bb5c20d85a3562f
SHA512

03e78515b828f3f3ecda6b1b4f74e5f256e578679e6abcf4aa6f1ab63c9ecb4605267aae609f878fcc4c93ba3d41c49d8a3b5189132a50b568c99f6c9e9f1076
SSDEEP

786432:Pw3SZ99drXwBD/u1tnmeWLplh7tKK8czK2c5xx3/P517pKG9sm:PNZ99drw1/u1iLHzdHE3/AsH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
552	Atmospheres.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\ZAK Sound\Atmospheres\unins000.dat	Atmospheres.tmp
File created	C:\Program Files\ZAK Sound\Atmospheres\is-OFQH7.tmp	Atmospheres.tmp
File created	C:\Program Files\Common Files\VST3\is-3MNF1.tmp	Atmospheres.tmp
File opened for modification	C:\Program Files\ZAK Sound\Atmospheres\unins000.dat	Atmospheres.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
552	Atmospheres.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 552	2632	Atmospheres.exe	78
PID 2632 wrote to memory of 552	2632	Atmospheres.exe	78
PID 2632 wrote to memory of 552	2632	Atmospheres.exe	78

C:\Users\Admin\AppData\Local\Temp\Atmospheres.exe
"C:\Users\Admin\AppData\Local\Temp\Atmospheres.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\is-DCS8A.tmp\Atmospheres.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DCS8A.tmp\Atmospheres.tmp" /SL5="$40222,37270383,786432,C:\Users\Admin\AppData\Local\Temp\Atmospheres.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DCS8A.tmp\Atmospheres.tmp

Filesize
3.0MB

MD5
c1ba844b5fee9de3459bd932c0dbe015

SHA1
89f2db0ca7441c7c9ec50ec4fabb3bc3c7b7793c

SHA256
94389bfac148307b30cddcb45996570e32b8e5203f3b579bb9ca631689ee24fe

SHA512
d528889e71d7ba084af3fead3c1b2bb16df9b5d227fd18d50451f5204a9e9d6533a1ff114f7797e19c184bfe5869df200e8e5123dd023000368808cfb1394433

Download Submit
memory/552-7-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/552-9-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/552-31-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/552-34-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2632-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2632-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2632-8-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2632-35-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download