Overview

overview

10

Static

static

3

MrsMajor 3.0.zip

windows10-1703-x64

10

Resubmissions

13-05-2024 11:02

240513-m5h7wscd52 10

12-05-2024 21:06

240512-zxtd4sah42 10

Analysis

  • max time kernel
    593s
  • max time network
    602s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-05-2024 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MrsMajor 3.0.zip

  • Size

    718KB

  • MD5

    1ba1c2c09aec0555b2735de46ca99837

  • SHA1

    bcf87747109a6c0c77bbb4304b5d2d5cc4f1d05b

  • SHA256

    88d20370bb431865ebd0f8fee1d22e27192cfed6abf96f5e37e258d35fcf83be

  • SHA512

    0f4fd0c050004ada90867372f7682ac0c58e12e32ee4a92dafa27978772b36b0686196d2244dddfc18ca817e4ba59051208c25dbae2de6382957c60a23bc19e2

  • SSDEEP

    12288:8v2uSBZjT5gj1YLHA5gL3Foozppgxa9mP29uu30F2GD/J9aKogClwwSPqTj:8eJpijSLHBL3d14wVSB/ogCuwSPqf

Score
10/10
agilenetdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.zip"
    1⤵
      PID:3268
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3140
      • C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe
        "C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmp" /SL4 $701E6 "C:\Users\Admin\Desktop\MrsMajor 3.0\2IPStartGuard.exe" 265593 52736
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE
            "C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4776
      • C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe
        "C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\65B0.tmp\65B1.tmp\65B2.vbs //Nologo
          2⤵
          • UAC bypass
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4424
          • C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe
            "C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3944
      • C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe
        "C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\A1FF.tmp\A200.vbs //Nologo
          2⤵
          • UAC bypass
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4312
          • C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\eulascr.exe
            "C:\Users\Admin\AppData\Local\Temp\A1FE.tmp\eulascr.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
      • C:\Windows\system32\msinfo32.exe
        "C:\Windows\system32\msinfo32.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Suspicious behavior: GetForegroundWindowSpam
        PID:5024
      • C:\Windows\system32\control.exe
        "C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4760
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:4256
        • C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe
          "C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\EDD8.tmp\EDD9.vbs //Nologo
            2⤵
            • UAC bypass
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2848
            • C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\eulascr.exe
              "C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\eulascr.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4924

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE
          Filesize

          515KB

          MD5

          f3c4fac2c4eb5bae1d1ac9e487a3219e

          SHA1

          81e8b4b8bfbdb4468bf6a3e47d4527513a4be267

          SHA256

          f5ddc74e15adcf5c4201bb185713143cd5028c506f19c06796e180c091e9a40a

          SHA512

          fefe8120c123504adc0465ccc928caef69748d7347bc5307e6f7cf3f5311070d3cc18db3ba1ca4736cae537afc74c91056cd467fd86cf96ee6ae79f7f7f9a520

          Download Submit
        • C:\Program Files (x86)\2IPStartGuard\keys.ini
          Filesize

          546B

          MD5

          14124be1218ff90bf9095cce3dc3eff6

          SHA1

          35d59a6721e3a333bbd7cd20396b6826901d42cb

          SHA256

          20f4d3e8ea2844bee912511a97872c3d6ec3982d0a5c5f7fc1f94780441ff6d6

          SHA512

          4de9929a574a0be4bae61aac8b6224dfa5f9c2c8d50b55bfcbc0fb2130fba8f3533895fe7fbcbd2dd2d961608128b995c3ef7ff128bec5e1006f72c6b5f75d2c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eulascr.exe.log
          Filesize

          1KB

          MD5

          0d24376e070853aeb373fb4efcd9c886

          SHA1

          5ed08b221c85e2cfcb883f06d9c7151ff81621b9

          SHA256

          582035d3b58f4c14d8951b45ee83a8843b93bb41c8a77fbc5a092ca116366fc7

          SHA512

          8d02310103958963d2e9a08b39e31048731fc385c0a66598ae4b35cc3131124092443601473e0632361eb3dcf8aa260c5e4a5b8ffc08a112970dc4619506cede

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\65B0.tmp\65B1.tmp\65B2.vbs
          Filesize

          352B

          MD5

          3b8696ecbb737aad2a763c4eaf62c247

          SHA1

          4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

          SHA256

          ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

          SHA512

          713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\65B0.tmp\eulascr.exe
          Filesize

          143KB

          MD5

          8b1c352450e480d9320fce5e6f2c8713

          SHA1

          d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

          SHA256

          2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

          SHA512

          2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\EDD7.tmp\AgileDotNet.VMRuntime.dll
          Filesize

          49KB

          MD5

          266373fadd81120baeae3504e1654a5a

          SHA1

          1a66e205c7b0ba5cd235f35c0f2ea5f52fdea249

          SHA256

          0798779dc944ba73c5a9ce4b8781d79f5dd7b5f49e4e8ef75020de665bad8ccb

          SHA512

          12da48e8770dc511685fb5d843f73ef6b7e6747af021f4ba87494bba0ec341a6d7d3704f2501e2ad26822675e83fd2877467342aacdb2fd718e526dafd10506b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-AN4A3.tmp\is-Q2GVJ.tmp
          Filesize

          657KB

          MD5

          3dafb498bb15d5260cb2c12b391a0d48

          SHA1

          c775ae9fdf18ab0ce38a8adffabe378f461e79a1

          SHA256

          c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

          SHA512

          a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

          Download Submit
        • \Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
          Filesize

          75KB

          MD5

          42b2c266e49a3acd346b91e3b0e638c0

          SHA1

          2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

          SHA256

          adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

          SHA512

          770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

          Download Submit
        • memory/3944-47-0x000000001E140000-0x000000001E666000-memory.dmp
          Filesize

          5.1MB

          Download
        • memory/3944-38-0x0000000000AF0000-0x0000000000B1A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/3944-45-0x00007FFE59BC0000-0x00007FFE59CEC000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3944-46-0x000000001DA40000-0x000000001DC02000-memory.dmp
          Filesize

          1.8MB

          Download
        • memory/4272-62-0x00007FFE59B20000-0x00007FFE59C4C000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/4368-0-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/4368-28-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/4696-27-0x0000000000400000-0x00000000004B3000-memory.dmp
          Filesize

          716KB

          Download
        • memory/4776-48-0x0000000000400000-0x0000000000489000-memory.dmp
          Filesize

          548KB

          Download
        • memory/4924-130-0x00007FFE59A00000-0x00007FFE59B2C000-memory.dmp
          Filesize

          1.2MB

          Download