Analysis Overview
SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
Threat Level: Known bad
The file MrsMajor3.0.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-13 16:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-13 16:46
Reported
2024-04-13 16:49
Platform
win7-20240215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msinfo32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2740 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2740 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2204 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe |
| PID 2204 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe |
| PID 2204 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\13A0.tmp\13A1.tmp\13A2.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"
C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"
C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe"
C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\13A0.tmp\13A1.tmp\13A2.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\13A0.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/1664-8-0x00000000001B0000-0x00000000001DA000-memory.dmp
memory/1664-9-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp
memory/1664-10-0x000000001AD30000-0x000000001ADB0000-memory.dmp
\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/1664-17-0x000007FEF3BF0000-0x000007FEF3D1C000-memory.dmp
memory/1664-18-0x000000001AD30000-0x000000001ADB0000-memory.dmp
memory/1664-19-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp
memory/780-22-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp
memory/780-25-0x000007FEF37D0000-0x000007FEF38FC000-memory.dmp
memory/780-27-0x000000001B150000-0x000000001B1D0000-memory.dmp
memory/780-26-0x000000001B150000-0x000000001B1D0000-memory.dmp
memory/780-21-0x00000000002C0000-0x00000000002EA000-memory.dmp
memory/780-28-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp
memory/2424-30-0x0000000000DD0000-0x0000000000DFA000-memory.dmp
memory/2424-33-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp
memory/2424-32-0x000007FEF3800000-0x000007FEF392C000-memory.dmp
memory/2424-34-0x0000000000B90000-0x0000000000C10000-memory.dmp
memory/2424-35-0x0000000000B90000-0x0000000000C10000-memory.dmp
memory/2424-36-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp