ateraagent | hxxps://www[.]dropbox[.]com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF[.]msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1

Analysis

max time kernel
37s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF.msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1

Score

10^/10

ateraagent discovery rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023c67-30.dat	family_ateraagent

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772950846205250"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
4048	chrome.exe
4048	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
4048	chrome.exe
4048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4048 wrote to memory of 1532	4048	chrome.exe	83
PID 4048 wrote to memory of 1532	4048	chrome.exe	83
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 5112	4048	chrome.exe	84
PID 4048 wrote to memory of 3972	4048	chrome.exe	85
PID 4048 wrote to memory of 3972	4048	chrome.exe	85
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86
PID 4048 wrote to memory of 1468	4048	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF.msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa57dfcc40,0x7ffa57dfcc4c,0x7ffa57dfcc58
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,479918787055243074,16852104768001784489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:1636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a10d66a917e70d1bd89d387c3d131545

SHA1
863e0417b8145db3a372ca50753490e4d5dd69f0

SHA256
7aa54f248f688208ac381715bc24336b249348d3cd297c4380bdc82a7179937c

SHA512
6fd6491663d04ae8e4179d377d945f7c0dd28718a111c86012e654021645a8d8b5a775c470d88260e4a587a926623f9bf06226d3792f92d1d0b68cc660b0331c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3712a60357f7ad157e5bd3a3b5bfd22e

SHA1
71a2cb2ca4b4d58960ba6c9be648bff77333f564

SHA256
732961edb21a0d09be7fdcda7ed681e33a8c012d3e33b73c8df20cc5ddd08896

SHA512
e2cf6b36fe612470c5e672fd4adfb2a9c64e8d24f033910672098f5dc8367a0c02f78cf295fc5ec85c70bf8e06d2b6614e15bd6b053a8d52a80e23286cafcc92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
9a372daa79bd6b949cc0ef6f32b5a94c

SHA1
407409a7432bcc3288edadd1dc6adb935e704557

SHA256
6182b37a588697891f8513cb3890071528eb02d2e0d3a18527183aa7567285f5

SHA512
556f988eec1ec9eed1db69032598f2704a4dc9506390ba981adcb7993f1d1db4dd0921bf733542d1381a9cd4df7ce1b0e95e76d400b59aadd277bdecb5c10540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
544a18cf567d276b25c4fb3e0631710c

SHA1
764846d403bc69e8cb32d1e40a9975c6c8be75c1

SHA256
65c642ea8d20fbc5a67dd8490568974862806eb1fe3f1c9b73758b848a306c70

SHA512
0c60f93af98e29f6261b0537fd1910844dbd085445f5a4b30368960e478ffb725a10a3c0368be7b5182feb19fe6940f8b6fee0640d72b42e4077182d5d4d2a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6eb8f1bcab6c0893d31bccf35078ff6d

SHA1
2ae8c2de6fd31a79987d3682ef2621df3b36f16e

SHA256
ccd4f3357ddffea85c6bc0732d43b3e23f23270a57ce50922ccabcd44c24331c

SHA512
06b28a79efed6fe121530244b295b6e12dbbddad3fc62a0a3ae414347066d6054f668cf18f815a942a59197a921c04da34c88d57ba7448b86b07b89c8a69b405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
eb5a62615459eb2e3758898f06ea64af

SHA1
e8c2490ad468ed36dc6d1e8914d07218114f25af

SHA256
b99bf98e0845aafcddf67a23f69c00dcf446ad2a637f439d6d18f98b61512446

SHA512
a72c0c77da3cc8521cc26f9bc40d65dfeaeb632dfbfecc8fa78193afd2863a7ec3992fed51827931ea193e89eda7e9996dec38a4695b36d844f628a8e3f07115

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 734387.crdownload

Filesize
2.9MB

MD5
f465b1fcc2a013c09b110466b7da2e4f

SHA1
b757d1147482c38be1b610f4a03bc9ae1dea6294

SHA256
c55e23d9367d422993d826a69644bbcb93175980af52a0c461b8f0240644cf06

SHA512
c30fde00fa73e56d5ac2b49c51429e7aafd9d12602a1059d1e6e472c18e59d21778e73d11578b81cfff8da7b2e9b4a62b84e6fb7c3a45fc5527970e92120e240

Download Submit
\??\pipe\crashpad_4048_NJEAPMZBPWSBNJLL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit