Overview
overview
10Static
static
3MrsMajor 3.0.7z
windows7-x64
3MrsMajor 3.0.7z
windows10-1703-x64
3MrsMajor 3.0.7z
windows10-2004-x64
7MrsMajor 3.0.7z
windows11-21h2-x64
3MrsMajor 3.0.exe
windows7-x64
10MrsMajor 3.0.exe
windows10-1703-x64
10MrsMajor 3.0.exe
windows10-2004-x64
10MrsMajor 3.0.exe
windows11-21h2-x64
10Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
MrsMajor 3.0.7z
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MrsMajor 3.0.7z
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
MrsMajor 3.0.7z
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
MrsMajor 3.0.7z
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
MrsMajor 3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
MrsMajor 3.0.exe
Resource
win10-20240221-en
Behavioral task
behavioral7
Sample
MrsMajor 3.0.exe
Resource
win10v2004-20240226-en
General
-
Target
MrsMajor 3.0.exe
-
Size
381KB
-
MD5
35a27d088cd5be278629fae37d464182
-
SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
-
SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
-
SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
SSDEEP
6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7
Malware Config
Signatures
-
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MrsMajor 3.0.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MrsMajor 3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
eulascr.exepid process 4996 eulascr.exe -
Loads dropped DLL 1 IoCs
Processes:
eulascr.exepid process 4996 eulascr.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3B34.tmp\eulascr.exe agile_net behavioral7/memory/4996-8-0x0000000000370000-0x000000000039A000-memory.dmp agile_net behavioral7/memory/4996-17-0x000000001B080000-0x000000001B090000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
eulascr.exepid process 4996 eulascr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
eulascr.exedescription pid process Token: SeDebugPrivilege 4996 eulascr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
MrsMajor 3.0.exewscript.exedescription pid process target process PID 2928 wrote to memory of 2312 2928 MrsMajor 3.0.exe wscript.exe PID 2928 wrote to memory of 2312 2928 MrsMajor 3.0.exe wscript.exe PID 2312 wrote to memory of 4996 2312 wscript.exe eulascr.exe PID 2312 wrote to memory of 4996 2312 wscript.exe eulascr.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3B34.tmp\3B35.tmp\3B36.vbs //Nologo2⤵
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3B34.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\3B34.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81