Overview

overview

10

Static

static

1

MrsMajor 3.0.7z

windows7-x64

3

MrsMajor 3.0.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MrsMajor 3.0.7z

  • Size

    234KB

  • MD5

    fedb45ddbd72fc70a81c789763038d81

  • SHA1

    f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a

  • SHA256

    eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2

  • SHA512

    813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298

  • SSDEEP

    6144:HMMAgnxjSgdHCueEVIzAMAcqXvYEC86TFSQ:HagxjSg1xrIzAMAcuI5TFT

Score
10/10
agilenetevasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:400
  • C:\Users\Admin\Desktop\MrsMajor 3.0.exe
    "C:\Users\Admin\Desktop\MrsMajor 3.0.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5FCA.tmp\5FCB.tmp\5FCC.vbs //Nologo
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\5FCA.tmp\eulascr.exe
        "C:\Users\Admin\AppData\Local\Temp\5FCA.tmp\eulascr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2160
  • C:\Users\Admin\Desktop\MrsMajor 3.0.exe
    "C:\Users\Admin\Desktop\MrsMajor 3.0.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:180
    • C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EE3E.tmp\EE4F.tmp\EE50.vbs //Nologo
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\EE3E.tmp\eulascr.exe
        "C:\Users\Admin\AppData\Local\Temp\EE3E.tmp\eulascr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5FCA.tmp\5FCB.tmp\5FCC.vbs
    Filesize

    352B

    MD5

    3b8696ecbb737aad2a763c4eaf62c247

    SHA1

    4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

    SHA256

    ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

    SHA512

    713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5FCA.tmp\eulascr.exe
    Filesize

    143KB

    MD5

    8b1c352450e480d9320fce5e6f2c8713

    SHA1

    d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

    SHA256

    2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

    SHA512

    2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit

  • C:\Users\Admin\Desktop\MrsMajor 3.0.exe
    Filesize

    381KB

    MD5

    35a27d088cd5be278629fae37d464182

    SHA1

    d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

    SHA256

    4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

    SHA512

    eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

    Download Submit

  • memory/1032-35-0x00007FFBE4DC0000-0x00007FFBE4F0E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1032-37-0x0000000003000000-0x0000000003010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1032-36-0x00007FFBE65D0000-0x00007FFBE7091000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2160-12-0x0000000000410000-0x000000000043A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2160-22-0x00007FFBE65D0000-0x00007FFBE7091000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2160-23-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-21-0x00007FFBE4DC0000-0x00007FFBE4F0E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2160-14-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2160-13-0x00007FFBE65D0000-0x00007FFBE7091000-memory.dmp

    Filesize

    10.8MB

    Download