Analysis
-
max time kernel
593s -
max time network
602s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-05-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
MrsMajor 3.0.zip
Resource
win10-20240404-en
General
-
Target
MrsMajor 3.0.zip
-
Size
718KB
-
MD5
1ba1c2c09aec0555b2735de46ca99837
-
SHA1
bcf87747109a6c0c77bbb4304b5d2d5cc4f1d05b
-
SHA256
88d20370bb431865ebd0f8fee1d22e27192cfed6abf96f5e37e258d35fcf83be
-
SHA512
0f4fd0c050004ada90867372f7682ac0c58e12e32ee4a92dafa27978772b36b0686196d2244dddfc18ca817e4ba59051208c25dbae2de6382957c60a23bc19e2
-
SSDEEP
12288:8v2uSBZjT5gj1YLHA5gL3Foozppgxa9mP29uu30F2GD/J9aKogClwwSPqTj:8eJpijSLHBL3d14wVSB/ogCuwSPqf
Malware Config
Signatures
-
Processes:
wscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Executes dropped EXE 5 IoCs
Processes:
is-Q2GVJ.tmpStartGuard.EXEeulascr.exeeulascr.exeeulascr.exepid process 4696 is-Q2GVJ.tmp 4776 StartGuard.EXE 3944 eulascr.exe 4272 eulascr.exe 4924 eulascr.exe -
Loads dropped DLL 3 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exepid process 3944 eulascr.exe 4272 eulascr.exe 4924 eulascr.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe agile_net behavioral1/memory/3944-38-0x0000000000AF0000-0x0000000000B1A000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\AgileDotNet.VMRuntime.dll agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
is-Q2GVJ.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\2IP StartGuard = "C:\\Program Files (x86)\\2IPStartGuard\\StartGuard.exe" is-Q2GVJ.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Drops file in Program Files directory 5 IoCs
Processes:
is-Q2GVJ.tmpdescription ioc process File opened for modification C:\Program Files (x86)\2IPStartGuard\unins000.dat is-Q2GVJ.tmp File created C:\Program Files (x86)\2IPStartGuard\unins000.dat is-Q2GVJ.tmp File created C:\Program Files (x86)\2IPStartGuard\is-U37RD.tmp is-Q2GVJ.tmp File created C:\Program Files (x86)\2IPStartGuard\is-OOPJ5.tmp is-Q2GVJ.tmp File created C:\Program Files (x86)\2IPStartGuard\is-8P7R6.tmp is-Q2GVJ.tmp -
Drops file in Windows directory 50 IoCs
Processes:
mmc.exedescription ioc process File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\ramdisk.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
msinfo32.exemmc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
msinfo32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease msinfo32.exe -
Modifies registry class 1 IoCs
Processes:
control.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings control.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
eulascr.exeeulascr.exeeulascr.exepid process 3944 eulascr.exe 4272 eulascr.exe 4924 eulascr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
msinfo32.exemmc.exepid process 5024 msinfo32.exe 4760 mmc.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
eulascr.exeeulascr.execontrol.exemmc.exeeulascr.exedescription pid process Token: SeDebugPrivilege 3944 eulascr.exe Token: SeDebugPrivilege 4272 eulascr.exe Token: SeShutdownPrivilege 3912 control.exe Token: SeCreatePagefilePrivilege 3912 control.exe Token: 33 4760 mmc.exe Token: SeIncBasePriorityPrivilege 4760 mmc.exe Token: 33 4760 mmc.exe Token: SeIncBasePriorityPrivilege 4760 mmc.exe Token: SeDebugPrivilege 4924 eulascr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2IPStartGuard.exeis-Q2GVJ.tmpStartGuard.EXEMrsMajor 3.0.exeMrsMajor 3.0.exemmc.exeMrsMajor 3.0.exepid process 4368 2IPStartGuard.exe 4696 is-Q2GVJ.tmp 4776 StartGuard.EXE 4924 MrsMajor 3.0.exe 2276 MrsMajor 3.0.exe 4760 mmc.exe 4760 mmc.exe 2632 MrsMajor 3.0.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2IPStartGuard.exeis-Q2GVJ.tmpMrsMajor 3.0.exewscript.exeMrsMajor 3.0.exewscript.execontrol.exeMrsMajor 3.0.exewscript.exedescription pid process target process PID 4368 wrote to memory of 4696 4368 2IPStartGuard.exe is-Q2GVJ.tmp PID 4368 wrote to memory of 4696 4368 2IPStartGuard.exe is-Q2GVJ.tmp PID 4368 wrote to memory of 4696 4368 2IPStartGuard.exe is-Q2GVJ.tmp PID 4696 wrote to memory of 4776 4696 is-Q2GVJ.tmp StartGuard.EXE PID 4696 wrote to memory of 4776 4696 is-Q2GVJ.tmp StartGuard.EXE PID 4696 wrote to memory of 4776 4696 is-Q2GVJ.tmp StartGuard.EXE PID 4924 wrote to memory of 4424 4924 MrsMajor 3.0.exe wscript.exe PID 4924 wrote to memory of 4424 4924 MrsMajor 3.0.exe wscript.exe PID 4424 wrote to memory of 3944 4424 wscript.exe eulascr.exe PID 4424 wrote to memory of 3944 4424 wscript.exe eulascr.exe PID 2276 wrote to memory of 4312 2276 MrsMajor 3.0.exe wscript.exe PID 2276 wrote to memory of 4312 2276 MrsMajor 3.0.exe wscript.exe PID 4312 wrote to memory of 4272 4312 wscript.exe eulascr.exe PID 4312 wrote to memory of 4272 4312 wscript.exe eulascr.exe PID 3912 wrote to memory of 4760 3912 control.exe mmc.exe PID 3912 wrote to memory of 4760 3912 control.exe mmc.exe PID 2632 wrote to memory of 2848 2632 MrsMajor 3.0.exe wscript.exe PID 2632 wrote to memory of 2848 2632 MrsMajor 3.0.exe wscript.exe PID 2848 wrote to memory of 4924 2848 wscript.exe eulascr.exe PID 2848 wrote to memory of 4924 2848 wscript.exe eulascr.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.zip"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe"C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmp"C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmp" /SL4 $701E6 "C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe" 265593 527362⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE"C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\65B0.tmp\65B1.tmp\65B2.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\A1FF.tmp\A200.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\EDD8.tmp\EDD9.vbs //Nologo2⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\2IPStartGuard\StartGuard.EXEFilesize
515KB
MD5f3c4fac2c4eb5bae1d1ac9e487a3219e
SHA181e8b4b8bfbdb4468bf6a3e47d4527513a4be267
SHA256f5ddc74e15adcf5c4201bb185713143cd5028c506f19c06796e180c091e9a40a
SHA512fefe8120c123504adc0465ccc928caef69748d7347bc5307e6f7cf3f5311070d3cc18db3ba1ca4736cae537afc74c91056cd467fd86cf96ee6ae79f7f7f9a520
-
C:\Program Files (x86)\2IPStartGuard\keys.iniFilesize
546B
MD514124be1218ff90bf9095cce3dc3eff6
SHA135d59a6721e3a333bbd7cd20396b6826901d42cb
SHA25620f4d3e8ea2844bee912511a97872c3d6ec3982d0a5c5f7fc1f94780441ff6d6
SHA5124de9929a574a0be4bae61aac8b6224dfa5f9c2c8d50b55bfcbc0fb2130fba8f3533895fe7fbcbd2dd2d961608128b995c3ef7ff128bec5e1006f72c6b5f75d2c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eulascr.exe.logFilesize
1KB
MD50d24376e070853aeb373fb4efcd9c886
SHA15ed08b221c85e2cfcb883f06d9c7151ff81621b9
SHA256582035d3b58f4c14d8951b45ee83a8843b93bb41c8a77fbc5a092ca116366fc7
SHA5128d02310103958963d2e9a08b39e31048731fc385c0a66598ae4b35cc3131124092443601473e0632361eb3dcf8aa260c5e4a5b8ffc08a112970dc4619506cede
-
C:\Users\Admin\AppData\Local\Temp\65B0.tmp\65B1.tmp\65B2.vbsFilesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exeFilesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\AgileDotNet.VMRuntime.dllFilesize
49KB
MD5266373fadd81120baeae3504e1654a5a
SHA11a66e205c7b0ba5cd235f35c0f2ea5f52fdea249
SHA2560798779dc944ba73c5a9ce4b8781d79f5dd7b5f49e4e8ef75020de665bad8ccb
SHA51212da48e8770dc511685fb5d843f73ef6b7e6747af021f4ba87494bba0ec341a6d7d3704f2501e2ad26822675e83fd2877467342aacdb2fd718e526dafd10506b
-
C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmpFilesize
657KB
MD53dafb498bb15d5260cb2c12b391a0d48
SHA1c775ae9fdf18ab0ce38a8adffabe378f461e79a1
SHA256c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a
SHA512a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31
-
\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/3944-47-0x000000001E140000-0x000000001E666000-memory.dmpFilesize
5.1MB
-
memory/3944-38-0x0000000000AF0000-0x0000000000B1A000-memory.dmpFilesize
168KB
-
memory/3944-45-0x00007FFE59BC0000-0x00007FFE59CEC000-memory.dmpFilesize
1.2MB
-
memory/3944-46-0x000000001DA40000-0x000000001DC02000-memory.dmpFilesize
1.8MB
-
memory/4272-62-0x00007FFE59B20000-0x00007FFE59C4C000-memory.dmpFilesize
1.2MB
-
memory/4368-0-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4368-28-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4696-27-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4776-48-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/4924-130-0x00007FFE59A00000-0x00007FFE59B2C000-memory.dmpFilesize
1.2MB