Overview

overview

3

Static

static

1

MrsMajor 3.0.7z

windows7-x64

3

MrsMajor 3.0.7z

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MrsMajor 3.0.7z

  • Size

    234KB

  • MD5

    fedb45ddbd72fc70a81c789763038d81

  • SHA1

    f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a

  • SHA256

    eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2

  • SHA512

    813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298

  • SSDEEP

    6144:HMMAgnxjSgdHCueEVIzAMAcqXvYEC86TFSQ:HagxjSg1xrIzAMAcuI5TFT

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
        3⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2860
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
          4⤵
            PID:1924
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
            4⤵
              PID:2824
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
              4⤵
                PID:1792
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\MrsMajor 3.0.7z
                4⤵
                  PID:1228

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\~DF8D06A582F95641DE.TMP
            Filesize

            16KB

            MD5

            e64a9976cd254a585a62aead9aff0507

            SHA1

            440c588a895803307372bbf4303c72fd800e160b

            SHA256

            4bfc410539c6edb3480c51f23e525462da3c62ec88bec0cbf0fb0b72d8531ffa

            SHA512

            a8d0af1f7249b5e37be623140dcb3dab032e065d00a1d743e5601ede6b7ea510819d89354639b56b3504a23dae9b0a572f7cde1ffcf9c79deac06db7ffdf889a

            Download Submit