Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/Z...

windows7-x64

Analysis

  • max time kernel
    19s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 12:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://github.com/Zusyaku/Malware-Collection-Part-2/releases/download/2.0/MrsMajor3.0.exe

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 7 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Zusyaku/Malware-Collection-Part-2/releases/download/2.0/MrsMajor3.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Zusyaku/Malware-Collection-Part-2/releases/download/2.0/MrsMajor3.0.exe
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.0.941411813\579590" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1152 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {836c13d7-0106-49fa-a408-14d6af8add3a} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 1352 43f2858 gpu
        3⤵
          PID:2904
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.1.1984784455\1565434754" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07269c0f-8835-4b0b-bae2-c2e81ce83301} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 1512 4303258 socket
          3⤵
          • Checks processor information in registry
          PID:2724
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.2.519185613\1392646606" -childID 1 -isForBrowser -prefsHandle 1948 -prefMapHandle 2068 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e8e237e-aab7-4d36-9e6b-3519025560b4} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 2052 1aca2758 tab
          3⤵
            PID:2144
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.3.1854531060\227443935" -childID 2 -isForBrowser -prefsHandle 2852 -prefMapHandle 2856 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {379e36a6-95fc-499a-b51f-e5ab87493a40} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 2868 1dd94e58 tab
            3⤵
              PID:1764
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.4.27054054\1180816446" -childID 3 -isForBrowser -prefsHandle 3548 -prefMapHandle 3552 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f206793-9134-4cb2-b228-7c3993c11612} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 3536 1c14d858 tab
              3⤵
                PID:576
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.5.783804220\1883894191" -childID 4 -isForBrowser -prefsHandle 3660 -prefMapHandle 3664 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f15628-6c77-40b5-bfb9-6b64a72cb22e} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 3648 1f5b0558 tab
                3⤵
                  PID:1780
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.6.1903644050\2092087412" -childID 5 -isForBrowser -prefsHandle 3684 -prefMapHandle 3580 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a62438f5-464a-4410-8dfb-ddda98c9759d} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 3748 1f5aea58 tab
                  3⤵
                    PID:1332
                  • C:\Users\Admin\Downloads\MrsMajor3.0.exe
                    "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1588
                    • C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
                      "C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"
                      4⤵
                      • Modifies WinLogon for persistence
                      • UAC bypass
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Sets desktop wallpaper using registry
                      • Drops file in Windows directory
                      • Modifies Control Panel
                      • System policy modification
                      PID:1996
                      • C:\windows\system32\takeown.exe
                        "C:\windows\system32\takeown.exe" /f C:\
                        5⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:2344
                      • C:\windows\system32\icacls.exe
                        "C:\windows\system32\icacls.exe" C:\ /granted "Admin":F
                        5⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:792
                      • C:\Windows\System32\shutdown.exe
                        "C:\Windows\System32\shutdown.exe" /r /t 00
                        5⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2128
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x0
                1⤵
                  PID:1408
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x1
                  1⤵
                    PID:292

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    22KB

                    MD5

                    56faa91c9cb1acf170eb6881e0dc931a

                    SHA1

                    ceedf53eb6e25dd301e663ccb602f8f849e85ed6

                    SHA256

                    7ac61ec8cd6fa22f362159674fe7b09f76a83519276566f302d45e74bbc00986

                    SHA512

                    798716cf64b9dbc025049a804e8d2a7c886664ff94fd16a201bccb0c08bf88dd39327b245750ee93f1168e8dbfc1116b8b03e547d25026be6a119c23ec0d869b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    23KB

                    MD5

                    6635ceaf4dc721f79820be961984cabb

                    SHA1

                    bde42be20e486ac0bb04bfdb7e280ab649ccdebe

                    SHA256

                    6adc29eed49fd35109fcfb6cc1eacd1c3c9390bbb5abd3f02994d381e35e7e30

                    SHA512

                    6deab7ad8f5970a4e23c45981cb1a7f627e0aa3db1ea4433f13ea3c14246e09a45cdb0fe851338ba38a9324e558364dc78271e2ecf7fafb091863ad07e450ed8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    ac49047d0326406188562efad2753f10

                    SHA1

                    25db2d3f50dce2cd7b05331b9cdb2a6aca23954f

                    SHA256

                    7311d1624bf11bf111afc2fc1d5a568ddb19ce1b1f40ac347eaa4ef0bda55719

                    SHA512

                    a571643ce802a28045930d3921bb43948a5ca74ac4c5882a831908ba270f40efb57f2df76c56e430ef848031b9f11a6f719910a12387ef7d454c3d1975ab0944

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\3187178f-6dee-4a62-87e5-0c8f9ae5cc21
                    Filesize

                    13KB

                    MD5

                    55c0d5cec91fc7b94dfe0a46e6bda5bf

                    SHA1

                    939ecf1accd7848be423322728e4d0f32fa456f8

                    SHA256

                    5053ae6d6c46d2a033fc84c01508736f16627e77464d35410e65929e84492b76

                    SHA512

                    2cd64000b38c28b835465b266b3aecbce640e17827bedb52138b085f4be3bf567a41d8e00fadf3b763a31f0f365dbd565c38f67afd6179cbcee35ae9ab0fdadc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\4f37e3ec-3bdc-4e26-87c4-7c2b08761420
                    Filesize

                    745B

                    MD5

                    d4ed89f06115a22d736523df4cbfa9ac

                    SHA1

                    e331e39cce3aa0ebc20af6793342a45405f62a2b

                    SHA256

                    039e9996aa0e41efd9c5c66a739481b4d85c80c9bae7d1966fd0bad3781fdc8b

                    SHA512

                    2923c204a708cac1a75aa2cc015b0f6e288a699a26067e80a9ad8294b8b8ff09cb91a2793810ead9716ef586e1b094155d928399aa26840b752b6bce85c7ddb4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    45f670300ce8ba77a0f0fa75b68968a5

                    SHA1

                    4fe6d096c1e0d4967b3ac73406b4a68fe3ff4532

                    SHA256

                    4e317bf9bab9971508f7f85a7d0731c4c0a1e2f09c22e45b44d5348a2084ea8e

                    SHA512

                    cd221e6234864918cbfcf87a35d084722c88f9c68eacf11e2ca51b2ac4cd17cc51b0fa197886be2ca6cb36504f555cf3f1dfc29cb050ffe0b501bf5b58dbc1a3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    1ff164db397a0e9182b4677a7b802a31

                    SHA1

                    980b7a79cf01711139296f28cd4b4dffefa731e1

                    SHA256

                    65c61557367dd1b4f556b78a2dab9b58b690ceeffc6271d8b580d2d3c894388c

                    SHA512

                    a4c59008e1efd4b858539f9b5f237e1f1f8207f9b8a0a7ca2d89f374926ab8fe2f77589cfa6c367b0a5060116addc55792250f68daba9235e1c6860917785424

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore.jsonlz4
                    Filesize

                    580B

                    MD5

                    1149f6d89cbca1f7a18e7d20991558c4

                    SHA1

                    a1aa9df68fbd3bc993aa9c8cd27d1ab3c4533784

                    SHA256

                    49b331370140e837139ffbc7211e52adbb44406562d4826a1951c3217f1f3450

                    SHA512

                    000aa357cdf2b009d7246c753ff4d371a96e66aca8281e462a6e14336f44dd9fd4f6ce8761781447dc571481529c1016d15c31f05075b03293e4d7dbc7c9e7eb

                    Download Submit

                  • C:\Users\Admin\Downloads\MrsMajor3.0.exe
                    Filesize

                    22.1MB

                    MD5

                    f2fe1f7dc11f7c2b0e9fec2330b7aaee

                    SHA1

                    8c2aa931e4bdc36d9e8885794525d3e12910580d

                    SHA256

                    074d2a88cc8e779f9ef59a545d37211208c1cf326fdab227dba61b6d8a98bda0

                    SHA512

                    8f72c7c68a68e2cc3ef2361b2fa3b4639cad741c4614d21b1188b2a4c3df90e53826749f6435fd58b84b9378761caab6815db3451753219f58c1f0780d7b49c9

                    Download Submit

                  • C:\Users\Admin\Downloads\MrsMajor3.Ms13zc5g.0.exe.part
                    Filesize

                    10.6MB

                    MD5

                    37df5013673dd7906795e29fcdbe93e6

                    SHA1

                    591d9ceac252302657ce462e06edf063e6fd5bd1

                    SHA256

                    1cf4b19b49041224abe820ebfbaeed4cdcc48d547e9cfa18d347778265c6a804

                    SHA512

                    a1ea21234cb503a59e033d4859c10fa08e286df6652a72c2f4ff7e44ad9f96bab892de84d3f826e2acb810d3d9a1164696e867ab459cab201dc9a90062b7f417

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe
                    Filesize

                    22.0MB

                    MD5

                    44758e777110e8f80f7a31e802716f23

                    SHA1

                    06e6a9745572fa6e0ce7a93c1d3f564ffc95c365

                    SHA256

                    45d64586e97e7200705db1072e92a376495d74f6c364763f3eb98dc3df6ce45f

                    SHA512

                    3a828f5a789cbe78ece5a4d21be30bce677b54e521f013df5f2bd02eede5a28f935710c04bd8e77de8ab2e172148187e10c7d667ea60f5190ad2b91e9e04624e

                    Download Submit

                  • memory/1588-152-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1588-153-0x0000000000AF0000-0x000000000211A000-memory.dmp

                    Filesize

                    22.2MB

                    Download

                  • memory/1588-154-0x0000000073F90000-0x000000007467E000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1588-167-0x0000000073F90000-0x000000007467E000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1588-168-0x0000000073F90000-0x000000007467E000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1996-169-0x000007FEF39A3000-0x000007FEF39A4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1996-170-0x0000000000BA0000-0x00000000021A4000-memory.dmp

                    Filesize

                    22.0MB

                    Download