Overview

overview

7

Static

static

Mercurial.exe

windows7_x64

7

Mercurial.exe

windows10_x64

7

Analysis

  • max time kernel
    78s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    26-09-2021 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mercurial.exe

  • Size

    7.9MB

  • MD5

    8cad58c674edbe5bafe3a7f3b690e450

  • SHA1

    ba629864335ffef2a62808384087deb45342b755

  • SHA256

    7900f7e9e009679cb581de76d7535e55ec92ac7aca7074dbdb24c6e28baf7b0e

  • SHA512

    e0a5936c75920cd35e2ee96d7810c932a77a5cdc7752e75af660069ba88016cbb75dcd17fe944e86ecdd6083e1066dab4abb4ebd36bb019d81982cc39653a125

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\system32\nslookup.exe
      nslookup -type=mx 154.61.71.51
      2⤵
        PID:1452

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1452-53-0x0000000000000000-mapping.dmp
      Download