Analysis
-
max time kernel
215s -
max time network
215s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 04:25
Static task
static1
Behavioral task
behavioral1
Sample
mm3.exe
Resource
win7-20240221-en
General
-
Target
mm3.exe
-
Size
381KB
-
MD5
35a27d088cd5be278629fae37d464182
-
SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
-
SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
-
SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
SSDEEP
6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7
Malware Config
Signatures
-
Processes:
wscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Executes dropped EXE 5 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exepid process 2536 eulascr.exe 1656 eulascr.exe 2136 eulascr.exe 860 eulascr.exe 2516 eulascr.exe -
Loads dropped DLL 8 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exepid process 2536 eulascr.exe 1656 eulascr.exe 1192 1192 1192 2136 eulascr.exe 860 eulascr.exe 2516 eulascr.exe -
Obfuscated with Agile.Net obfuscator 8 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\76C5.tmp\eulascr.exe agile_net behavioral1/memory/2536-8-0x0000000000230000-0x000000000025A000-memory.dmp agile_net behavioral1/memory/1656-28-0x00000000012E0000-0x000000000130A000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\8298.tmp\AgileDotNet.VMRuntime.dll agile_net behavioral1/memory/2136-47-0x0000000001300000-0x000000000132A000-memory.dmp agile_net behavioral1/memory/2136-50-0x000000001B1D0000-0x000000001B250000-memory.dmp agile_net behavioral1/memory/860-56-0x0000000000E30000-0x0000000000E5A000-memory.dmp agile_net behavioral1/memory/2516-64-0x0000000000DA0000-0x0000000000DCA000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exepid process 2536 eulascr.exe 1656 eulascr.exe 2136 eulascr.exe 860 eulascr.exe 2516 eulascr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msinfo32.exepid process 2544 msinfo32.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exeAUDIODG.EXEeulascr.exeeulascr.exedescription pid process Token: SeDebugPrivilege 2536 eulascr.exe Token: SeDebugPrivilege 1656 eulascr.exe Token: SeDebugPrivilege 2136 eulascr.exe Token: 33 376 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 376 AUDIODG.EXE Token: 33 376 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 376 AUDIODG.EXE Token: SeDebugPrivilege 860 eulascr.exe Token: SeDebugPrivilege 2516 eulascr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
eulascr.exepid process 2136 eulascr.exe 2136 eulascr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
mm3.exewscript.exemm3.exewscript.exemm3.exewscript.exedescription pid process target process PID 2868 wrote to memory of 2596 2868 mm3.exe wscript.exe PID 2868 wrote to memory of 2596 2868 mm3.exe wscript.exe PID 2868 wrote to memory of 2596 2868 mm3.exe wscript.exe PID 2596 wrote to memory of 2536 2596 wscript.exe eulascr.exe PID 2596 wrote to memory of 2536 2596 wscript.exe eulascr.exe PID 2596 wrote to memory of 2536 2596 wscript.exe eulascr.exe PID 1032 wrote to memory of 1796 1032 mm3.exe wscript.exe PID 1032 wrote to memory of 1796 1032 mm3.exe wscript.exe PID 1032 wrote to memory of 1796 1032 mm3.exe wscript.exe PID 1796 wrote to memory of 1656 1796 wscript.exe eulascr.exe PID 1796 wrote to memory of 1656 1796 wscript.exe eulascr.exe PID 1796 wrote to memory of 1656 1796 wscript.exe eulascr.exe PID 3004 wrote to memory of 2504 3004 mm3.exe wscript.exe PID 3004 wrote to memory of 2504 3004 mm3.exe wscript.exe PID 3004 wrote to memory of 2504 3004 mm3.exe wscript.exe PID 3004 wrote to memory of 2504 3004 mm3.exe wscript.exe PID 3004 wrote to memory of 2504 3004 mm3.exe wscript.exe PID 2504 wrote to memory of 2136 2504 wscript.exe eulascr.exe PID 2504 wrote to memory of 2136 2504 wscript.exe eulascr.exe PID 2504 wrote to memory of 2136 2504 wscript.exe eulascr.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mm3.exe"C:\Users\Admin\AppData\Local\Temp\mm3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\76C5.tmp\76C6.tmp\76C7.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\76C5.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\76C5.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\mm3.exe"C:\Users\Admin\AppData\Local\Temp\mm3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\79F.tmp\7AF.tmp\7B0.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\79F.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\79F.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1192" "3472"1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\mm3.exe"C:\Users\Admin\AppData\Local\Temp\mm3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8298.tmp\8299.tmp\829A.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2136
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1192" "3972"1⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\8298.tmp\eulascr.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
49KB
MD5266373fadd81120baeae3504e1654a5a
SHA11a66e205c7b0ba5cd235f35c0f2ea5f52fdea249
SHA2560798779dc944ba73c5a9ce4b8781d79f5dd7b5f49e4e8ef75020de665bad8ccb
SHA51212da48e8770dc511685fb5d843f73ef6b7e6747af021f4ba87494bba0ec341a6d7d3704f2501e2ad26822675e83fd2877467342aacdb2fd718e526dafd10506b
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81