Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-07-2021 22:41
Static task
static1
Behavioral task
behavioral1
Sample
Mercurial.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Mercurial.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Mercurial.exe
-
Size
3.2MB
-
MD5
a9477b3e21018b96fc5d2264d4016e65
-
SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7
-
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
-
SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
Score
7/10
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 11 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1820-62-0x0000000000480000-0x0000000000499000-memory.dmp agile_net behavioral1/memory/1820-63-0x00000000004E0000-0x00000000004FD000-memory.dmp agile_net behavioral1/memory/1820-64-0x0000000000970000-0x000000000098B000-memory.dmp agile_net behavioral1/memory/1820-65-0x0000000000990000-0x000000000099C000-memory.dmp agile_net behavioral1/memory/1820-66-0x00000000009C0000-0x00000000009D0000-memory.dmp agile_net behavioral1/memory/1820-67-0x0000000004AD0000-0x0000000004B3A000-memory.dmp agile_net behavioral1/memory/1820-68-0x00000000009D0000-0x00000000009EA000-memory.dmp agile_net behavioral1/memory/1820-69-0x0000000000A60000-0x0000000000A92000-memory.dmp agile_net behavioral1/memory/1820-71-0x0000000000AA0000-0x0000000000AAA000-memory.dmp agile_net behavioral1/memory/1820-72-0x0000000000AB0000-0x0000000000ABA000-memory.dmp agile_net behavioral1/memory/1820-73-0x0000000004EA0000-0x0000000004FE5000-memory.dmp agile_net -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Mercurial.exepid process 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe 1820 Mercurial.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Mercurial.exedescription pid process Token: SeDebugPrivilege 1820 Mercurial.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-60-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/1820-62-0x0000000000480000-0x0000000000499000-memory.dmpFilesize
100KB
-
memory/1820-63-0x00000000004E0000-0x00000000004FD000-memory.dmpFilesize
116KB
-
memory/1820-64-0x0000000000970000-0x000000000098B000-memory.dmpFilesize
108KB
-
memory/1820-65-0x0000000000990000-0x000000000099C000-memory.dmpFilesize
48KB
-
memory/1820-66-0x00000000009C0000-0x00000000009D0000-memory.dmpFilesize
64KB
-
memory/1820-67-0x0000000004AD0000-0x0000000004B3A000-memory.dmpFilesize
424KB
-
memory/1820-68-0x00000000009D0000-0x00000000009EA000-memory.dmpFilesize
104KB
-
memory/1820-69-0x0000000000A60000-0x0000000000A92000-memory.dmpFilesize
200KB
-
memory/1820-70-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/1820-71-0x0000000000AA0000-0x0000000000AAA000-memory.dmpFilesize
40KB
-
memory/1820-72-0x0000000000AB0000-0x0000000000ABA000-memory.dmpFilesize
40KB
-
memory/1820-73-0x0000000004EA0000-0x0000000004FE5000-memory.dmpFilesize
1.3MB
-
memory/1820-74-0x0000000005310000-0x0000000005424000-memory.dmpFilesize
1.1MB
-
memory/1820-75-0x0000000000F90000-0x0000000000FBA000-memory.dmpFilesize
168KB
-
memory/1820-76-0x0000000006340000-0x0000000006346000-memory.dmpFilesize
24KB
-
memory/1820-78-0x0000000004B86000-0x0000000004B97000-memory.dmpFilesize
68KB
-
memory/1820-77-0x0000000004B81000-0x0000000004B82000-memory.dmpFilesize
4KB