Analysis Overview
SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
Threat Level: Known bad
The file MrsMajor3.0.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-12 22:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-12 22:13
Reported
2024-04-12 22:16
Platform
win7-20240215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1804 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 1804 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 1804 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2256 wrote to memory of 3056 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe |
| PID 2256 wrote to memory of 3056 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe |
| PID 2256 wrote to memory of 3056 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\934.tmp\935.tmp\936.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\934.tmp\935.tmp\936.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\934.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/3056-8-0x0000000000370000-0x000000000039A000-memory.dmp
memory/3056-9-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp
memory/3056-10-0x000000001AF90000-0x000000001B010000-memory.dmp
\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/3056-17-0x000007FEF4340000-0x000007FEF446C000-memory.dmp
memory/3056-18-0x000000001AF90000-0x000000001B010000-memory.dmp
memory/3056-19-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-12 22:13
Reported
2024-04-12 22:16
Platform
win10v2004-20240412-en
Max time kernel
95s
Max time network
86s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4304 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 4304 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 1456 wrote to memory of 2640 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe |
| PID 1456 wrote to memory of 2640 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3875.tmp\3876.tmp\3877.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\1d1f63a683b9410f8223060b0f9b0420 /t 4320 /p 2640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3875.tmp\3876.tmp\3877.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\3875.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/2640-8-0x00000000003A0000-0x00000000003CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/2640-15-0x00007FF94E080000-0x00007FF94E1CE000-memory.dmp
memory/2640-16-0x00007FF93E8D0000-0x00007FF93F391000-memory.dmp
memory/2640-17-0x00000000025E0000-0x00000000025F0000-memory.dmp
memory/2640-18-0x000000001D1A0000-0x000000001D362000-memory.dmp
memory/2640-19-0x000000001D8A0000-0x000000001DDC8000-memory.dmp
memory/2640-20-0x00000000025E0000-0x00000000025F0000-memory.dmp
memory/2640-21-0x00007FF93E8D0000-0x00007FF93F391000-memory.dmp
memory/2640-22-0x00000000025E0000-0x00000000025F0000-memory.dmp
memory/2640-23-0x00000000025E0000-0x00000000025F0000-memory.dmp
memory/2640-24-0x00000000025E0000-0x00000000025F0000-memory.dmp
memory/2640-26-0x00007FF93E8D0000-0x00007FF93F391000-memory.dmp