Resubmissions
12-04-2024 22:28
240412-2d43lsfe55 10Analysis
-
max time kernel
59s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 16:47
Static task
static1
Errors
General
-
Target
MrsMajor3.0.exe
-
Size
381KB
-
MD5
35a27d088cd5be278629fae37d464182
-
SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
-
SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
-
SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
SSDEEP
6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7
Malware Config
Signatures
-
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MrsMajor3.0.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
eulascr.exepid process 5060 eulascr.exe -
Loads dropped DLL 1 IoCs
Processes:
eulascr.exepid process 5060 eulascr.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe agile_net behavioral1/memory/5060-8-0x0000000000C20000-0x0000000000C4A000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
eulascr.exetaskmgr.exepid process 5060 eulascr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
eulascr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 5060 eulascr.exe Token: SeDebugPrivilege 3332 taskmgr.exe Token: SeSystemProfilePrivilege 3332 taskmgr.exe Token: SeCreateGlobalPrivilege 3332 taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
taskmgr.exeeulascr.exepid process 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 5060 eulascr.exe 5060 eulascr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
Processes:
taskmgr.exepid process 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe 3332 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 5092 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
MrsMajor3.0.exewscript.exedescription pid process target process PID 4176 wrote to memory of 2388 4176 MrsMajor3.0.exe wscript.exe PID 4176 wrote to memory of 2388 4176 MrsMajor3.0.exe wscript.exe PID 2388 wrote to memory of 5060 2388 wscript.exe eulascr.exe PID 2388 wrote to memory of 5060 2388 wscript.exe eulascr.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\F9E2.tmp\F9E3.vbs //Nologo2⤵
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5060
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:4616
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394e855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5092
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc