Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 19:31

General

  • Target

    https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.dropbox.com%2fscl%2ffi%2fr7v1torcte1baaktr8429%2flaudovisitabombeirosPdf.msi%3frlkey%3d5rkg59mdngwn7vemwgb3nh98y%26st%3d6a96933q%26dl%3d1&umid=a7eee369-f639-42ca-8ad0-70fbcbfef484&auth=27add3bc29ce6137fed87a33377943ba90e59956-291a210ae7f67027492f3032ebbc471fd78ffbca

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Ateraagent family
  • Detects AteraAgent 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.dropbox.com%2fscl%2ffi%2fr7v1torcte1baaktr8429%2flaudovisitabombeirosPdf.msi%3frlkey%3d5rkg59mdngwn7vemwgb3nh98y%26st%3d6a96933q%26dl%3d1&umid=a7eee369-f639-42ca-8ad0-70fbcbfef484&auth=27add3bc29ce6137fed87a33377943ba90e59956-291a210ae7f67027492f3032ebbc471fd78ffbca
    1⤵
    • System Time Discovery
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1be9cc40,0x7fff1be9cc4c,0x7fff1be9cc58
      2⤵
        PID:2912
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
        2⤵
          PID:2612
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
          2⤵
            PID:1848
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:8
            2⤵
              PID:2016
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
              2⤵
                PID:1840
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
                2⤵
                  PID:3220
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
                  2⤵
                    PID:1900
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1032,i,7908999885066595030,16896312557659823866,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=724 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2576
                • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                  1⤵
                    PID:2680
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                    1⤵
                      PID:5052

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                      Filesize

                      649B

                      MD5

                      9b976f6b17fdf6cf753226615f94f71e

                      SHA1

                      5d3297d2c85ce4b93afb6c2beaf8a101c1024d44

                      SHA256

                      66ba67cdbc383d1ec8c6eb60019e024087a3ee273db30d1aa525d43dda1c34aa

                      SHA512

                      dd243d1fa17749770d19c16acd52cd80e105528515f3ba25c184e721430486acc8e638385f7c43597ff874511c08d3a04235d079c8c6bfd278cc23e2fa964d20

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                      Filesize

                      2KB

                      MD5

                      69dada45019bf66f7089de3de5805421

                      SHA1

                      0d3fd3997a8262669aeb2891a8e0275e879906ca

                      SHA256

                      1db96f51bf759c6093e4901043be8b5254473a5de636cc7431ea7cf1d3c79fee

                      SHA512

                      df3caae14f9021d866d6b43f21b62b0c1fa5c981a98557cdc66b94021c1497c40a7a770744ad1d535692b516352f816a2069ad0d5274d6d99b4a5e06d8365386

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                      Filesize

                      2KB

                      MD5

                      e32ac836f8b11e31420e5d1b556be96f

                      SHA1

                      b8393c403863b4f1b65cc1d4f4c319f1650580dc

                      SHA256

                      101aa07f61c80af2f6790888a9bd5609cfed9eb3359e0d2cc209ed5fdbfb0875

                      SHA512

                      ef9b8e7b555fc7d4e6fc00592afeec02ab19a59bd97b5704b6d5108278faeff13b6bd2a164cd6d13a22f1d755c5eba017e5aac7a1b3f2ca6c55eee7067764db6

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                      Filesize

                      2B

                      MD5

                      d751713988987e9331980363e24189ce

                      SHA1

                      97d170e1550eee4afc0af065b78cda302a97674c

                      SHA256

                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                      SHA512

                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                      Filesize

                      690B

                      MD5

                      b6a997ea268e28974675cfbea597f902

                      SHA1

                      95b61819e78c666d1d75852f169113e9d02ee32e

                      SHA256

                      54618562ccefe81424d8b310843df71e7ef0dd94fb7d2bd7e8a27844a5db1cd9

                      SHA512

                      d4cab6c058fd21d7c7b9f5d3cce0f9a4c06d02f68e8369b56a299833828dc7c8ca5abb9f3a86f68a6d4e1e96eb7e462afb8ab23885aeab0b2c829ad0ea077375

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      f4017a1bd8c1672048f3d215aa22211d

                      SHA1

                      3ee6b222193eca575ea964c075c1002b4d419865

                      SHA256

                      294f15b1f0e3a0ac7f3eeca69528fc180d43ba0a24a290c3422363bc3c883c46

                      SHA512

                      15efba1903cae31f65c443199214465082733be625c85a2ccaad31d98399e55a2569fb36dcf5e69079b5d0659ef4912284124d9e59c94e296a20da4c3b007592

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      6f1de3b752ccd479b16c5d0e4b367c29

                      SHA1

                      79523895a986a67486bc552c95ea2da3007e74b2

                      SHA256

                      df72ef96d489749b25da00c440c9b3da5f0872765b90d1b2ef7c74759ea35591

                      SHA512

                      a96d3d2aceaeff553ff62522d85cdf30663522d3b561dbcf90c32c2bffd4d8904be3a4a2e9a474abf39783dd0a17901e1808e6015de8bf9ff49fa932fe92b0e5

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      bd27ac5bd0bf317c2bfd5fca017e9ec0

                      SHA1

                      541fe38e96c84e624e7addd1ff0aeec2031875b4

                      SHA256

                      473fce44b92b10ce2950f945d9ff42db8e4b1e0096941e03d868d3d36700fe2f

                      SHA512

                      de4daa467294f76a5015c67f9b2d75809d559236dde66392572b18b3db3cdf063caca08f59b30b7c9a5719ca9716275a24936c18b51fe29abf61a3887cc3dbca

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      3a8adbe36904b1847c8a260f48d44d42

                      SHA1

                      8a79bf344b25470d17e8fbcf49d13c73d9776c65

                      SHA256

                      ba8763e5795d3306b17bc3f8e143ac2a25f4a783b1535ddd28f205f58331ce79

                      SHA512

                      0efe46e842298ae91862e4a3ce0682fd3c2312bc9516df8ad795d7d02117dcb572dbf568d363742fd17117cc0b1ae4a53f95955e344ab18e085de49f0d5ff001

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      27b39ab93d3db45f98a5eb8722d19967

                      SHA1

                      40d102a8f0409252a324b902024bbfcd49e7760a

                      SHA256

                      68342403b275a8f684f866bfe5209882de566e20ab47f4945a67a4b564e1433d

                      SHA512

                      a3255aaaf052fab8cde1c7a735a8d8019d181ceb5d87cf9e5cde2cab732b66de4e020e63023013695c45c9d1c986eaa028803ff1708a647f414ad5bbfa4c298d

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      4c50c1d9af5774ed8dff86bd3802f088

                      SHA1

                      bec513f36cf47bb42c1d08f4815d16aafa17ab72

                      SHA256

                      d2296d9a4322793d3b4368f04e03acc5b8a4de2ea941c7be74b5ea307e92ec8e

                      SHA512

                      f21ccc6cb9f63c8518532cae7d2ee4dbc6e6aedf968c9e3a2af4515881d5acdd7be7aac0b6445e6b04c230cfa55d7e5edb6471d2b77a4aa0b53547070136970f

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      9KB

                      MD5

                      e0db27f1baba494a5ee65b898fee6c99

                      SHA1

                      20ef310822ac35a5307bfcfaf3b4123ae9ceb297

                      SHA256

                      7c615024dba27dcf34ba5af1e02b511a63dedb1d0d8b2f9b6dae3926dd9008ba

                      SHA512

                      c84a3aefaf43dd3a0d4ae31c5547f6fa093f18aa563005f5bff536c91e3e31a96982d2d8f60416ea0ff2dc27914f0da332c092fec9cc46de0b391af33728ff8d

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                      Filesize

                      116KB

                      MD5

                      d4e32a19f9eff9608a7d2bdc743d1a8e

                      SHA1

                      63e150d28ff78dcfdcdce6df91f08d46a5bbd724

                      SHA256

                      ffaa95d629468689ea3b101856b4b357576203e96ae80dabb16d558454e82513

                      SHA512

                      c7b643bc7752573cbc610d2ebc6e4b8299d0a2d6f0eab21a133641eea36da2a322d1fbb2da409c8b4de3375fcc592c70909c407a0eb1d6c88b9435b5c3a17d19

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                      Filesize

                      116KB

                      MD5

                      d332f86397b52e410f7b8aabc8b83e41

                      SHA1

                      14503cd17b690b59f9d43d4f6ed82c5812459f73

                      SHA256

                      5fb750c48eb919f2538b382f8e952965034efd479c6414d8fd54f8ea09252b29

                      SHA512

                      9f3bc55819250b975947039852a0ef2b6272abee249e9119e8eca8f1d1d9135d4847f97baa11df3fe6b8aaa5445f19f1cb31ccd0c92dc93149a1ee2195ba8a1a

                    • C:\Users\Admin\Downloads\Unconfirmed 466169.crdownload

                      Filesize

                      2.9MB

                      MD5

                      1237a9140ac0333e8f4dff131a18635e

                      SHA1

                      ad0621265080d50c2e6f56d6a87a53a448d8d8dd

                      SHA256

                      160d67508f3283df11379f4e5dfa87c68ead4fb9e355813b79560d56856012f4

                      SHA512

                      9c5f8621941eac95a00bc2aa8e23ec372a63994b61f287d90777a90c22c9557481fd5bfbb5cb621d2da9a11ae5b623dd73d27dc792842731a5d8f2ba03666742

                    • \??\pipe\crashpad_3576_CWTSATFZTOGHWSKI

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e