Resubmissions

12-04-2024 22:28

240412-2d43lsfe55 10

Analysis

  • max time kernel
    59s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2024 16:47

Errors

Reason
Machine shutdown

General

  • Target

    MrsMajor3.0.exe

  • Size

    381KB

  • MD5

    35a27d088cd5be278629fae37d464182

  • SHA1

    d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

  • SHA256

    4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

  • SHA512

    eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

  • SSDEEP

    6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\F9E2.tmp\F9E3.vbs //Nologo
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2388
      • C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe
        "C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:5060
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4616
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa394e855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    • C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\F9E2.tmp\F9E3.vbs

      Filesize

      352B

      MD5

      3b8696ecbb737aad2a763c4eaf62c247

      SHA1

      4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

      SHA256

      ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

      SHA512

      713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

    • C:\Users\Admin\AppData\Local\Temp\F9E1.tmp\eulascr.exe

      Filesize

      143KB

      MD5

      8b1c352450e480d9320fce5e6f2c8713

      SHA1

      d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

      SHA256

      2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

      SHA512

      2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

    • memory/3332-27-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-33-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-28-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-29-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-31-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-32-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-30-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-21-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-22-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/3332-23-0x0000026EB8D00000-0x0000026EB8D01000-memory.dmp

      Filesize

      4KB

    • memory/5060-20-0x000000001E390000-0x000000001E8B8000-memory.dmp

      Filesize

      5.2MB

    • memory/5060-19-0x000000001DC90000-0x000000001DE52000-memory.dmp

      Filesize

      1.8MB

    • memory/5060-18-0x000000001B890000-0x000000001B8A0000-memory.dmp

      Filesize

      64KB

    • memory/5060-17-0x00007FFD3E670000-0x00007FFD3E7BE000-memory.dmp

      Filesize

      1.3MB

    • memory/5060-9-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

      Filesize

      10.8MB

    • memory/5060-8-0x0000000000C20000-0x0000000000C4A000-memory.dmp

      Filesize

      168KB

    • memory/5060-11-0x000000001B890000-0x000000001B8A0000-memory.dmp

      Filesize

      64KB

    • memory/5060-34-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

      Filesize

      10.8MB

    • memory/5060-35-0x000000001B890000-0x000000001B8A0000-memory.dmp

      Filesize

      64KB

    • memory/5060-36-0x000000001B890000-0x000000001B8A0000-memory.dmp

      Filesize

      64KB

    • memory/5060-37-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

      Filesize

      10.8MB