Analysis
-
max time kernel
1680s -
max time network
1687s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-11-2024 18:51
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://app.atera.com/breeze/genericticketing/getagentsetupmsi?customerId=1&customerName=Unassigned&[email protected]&accountId=001Q300000Mtyy9IAB
Resource
win11-20241007-en
General
-
Target
http://app.atera.com/breeze/genericticketing/getagentsetupmsi?customerId=1&customerName=Unassigned&[email protected]&accountId=001Q300000Mtyy9IAB
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x001900000002abc4-26.dat family_ateraagent -
A potential corporate email address has been identified in the URL: [email protected]
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 354023.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 1620 msedge.exe 1620 msedge.exe 2468 msedge.exe 2468 msedge.exe 2124 msedge.exe 2124 msedge.exe 3780 identity_helper.exe 3780 identity_helper.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid Process 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
msedge.exepid Process 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid Process 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe 2468 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 2468 wrote to memory of 3640 2468 msedge.exe 77 PID 2468 wrote to memory of 3640 2468 msedge.exe 77 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 4828 2468 msedge.exe 78 PID 2468 wrote to memory of 1620 2468 msedge.exe 79 PID 2468 wrote to memory of 1620 2468 msedge.exe 79 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80 PID 2468 wrote to memory of 2248 2468 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://app.atera.com/breeze/genericticketing/getagentsetupmsi?customerId=1&customerName=Unassigned&[email protected]&accountId=001Q300000Mtyy9IAB1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefe1d3cb8,0x7ffefe1d3cc8,0x7ffefe1d3cd82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8184075060594974205,12837156966045323025,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5080 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:908
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3528
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
Filesize
181B
MD57599bf2a9eb9f93e46454a76ce153f16
SHA1cba81a2d4ee06f1dd3d7c59632abcc6a27d2a776
SHA2564cd503538ec59a1e1e3d1e14f2a1eb1f9658d20ef694fdc0ba5d954942a72936
SHA51225ebc3bb2e997af87cc18eae83544b988b9c7d4356512057a5b6eb34302fe9df4d27981856e576fa8a366698435b09728e148f51e92fe91ead4a3b97916d6ddf
-
Filesize
5KB
MD5f6fca736af05e3f72656aaa1d9aef322
SHA1cc1326fb7cc807566bbf2eb7a3466b3db00401f4
SHA25634cfafd9512ce6aed428e39c64e2b6ed2af18eed50180f7ccdf1d35076704fbd
SHA5129f2954686b20f90f31b0951a1ccecdd42446f2d5db434df4817eef8d28039c8617f4ccc46be566ff5073ab17ab175034e86a6fcd36c2979f6f1eb9fc95b6523b
-
Filesize
5KB
MD5b6c723feb77948e9a453d9451876a721
SHA1fd10293f2a3c6493abb4e8e30f0ba03e51ad4aa8
SHA25698b8bca6a4a20b9ba4114997e4266685fd0c97993d7142e8d85df0956213818d
SHA512be5de3fbf79127e90963ce9ef687bdee73fc7a0a9033d0c5a0d63b72a055cc61ca2ffd55888ffc7c58bbc67e0b6047ea15f75467800f4db37db33e28a4226484
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5da725b71131f2a5b2e0a5c5956cce5b6
SHA1de36c67cd4ccca8d529e49be30fe46c36c37f5a1
SHA2569e72e5959d761bd92a6a2e1dd6607564ae8b1229ecad360f8e8223bf34903181
SHA512e8b1fe71cf3d53f88e693b57580d9549051e44f7762b52f2a5a04f55ff59077cd33571f739089bb17677fe4c16305bbba48d2d4ee64e426d06b485b5661a52e7
-
Filesize
11KB
MD58fe008e0c3cbebce1ac0400394147beb
SHA14cbb1dcedd0ddaf441efc261d42c64e921b28f00
SHA256b5406909ae1d0f8eb658edb66a97aea7cbb15c64b253b60e7f2d9059e4de465a
SHA512fb4251a00b909772d968043e8c54195bec3aaf7cdd1c2615f20d7d7f296194468f141646dd11c1594410df24e231b611f0b571bc8e4a680c7b3f228116ee9b96
-
Filesize
2.9MB
MD502d9ee402a7a8ea84ad51632609f203d
SHA13809c9d7b55199ddbd5b8b2a0ff6b29ac7b414b0
SHA256a540b7bdc6a2482e66c92f2158526134b37682fa4781e203d103af78e356011d
SHA51298398e7fda71d594dc9987eec0928ecb73855a425ace0f117d4e2bc833af7c8a2f0de5c9dec660945bdbedc2bd3648e6463a036a29f1fe58402fe90a57fcdd3f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e