Malware Analysis Report

2024-11-13 16:14

Sample ID 240413-t9367aeh66
Target MrsMajor3.0.exe
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
Tags
agilenet evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

Threat Level: Known bad

The file MrsMajor3.0.exe was found to be: Known bad.

Malicious Activity Summary

agilenet evasion trojan

UAC bypass

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 16:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 16:46

Reported

2024-04-13 16:49

Platform

win7-20240215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msinfo32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe

"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\13A0.tmp\13A1.tmp\13A2.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"

C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"

C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"

C:\Windows\system32\msinfo32.exe

"C:\Windows\system32\msinfo32.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\13A0.tmp\13A1.tmp\13A2.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/1664-8-0x00000000001B0000-0x00000000001DA000-memory.dmp

memory/1664-9-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/1664-10-0x000000001AD30000-0x000000001ADB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/1664-17-0x000007FEF3BF0000-0x000007FEF3D1C000-memory.dmp

memory/1664-18-0x000000001AD30000-0x000000001ADB0000-memory.dmp

memory/1664-19-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/780-22-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp

memory/780-25-0x000007FEF37D0000-0x000007FEF38FC000-memory.dmp

memory/780-27-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/780-26-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/780-21-0x00000000002C0000-0x00000000002EA000-memory.dmp

memory/780-28-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp

memory/2424-30-0x0000000000DD0000-0x0000000000DFA000-memory.dmp

memory/2424-33-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

memory/2424-32-0x000007FEF3800000-0x000007FEF392C000-memory.dmp

memory/2424-34-0x0000000000B90000-0x0000000000C10000-memory.dmp

memory/2424-35-0x0000000000B90000-0x0000000000C10000-memory.dmp

memory/2424-36-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp