Analysis
-
max time kernel
52s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
07-09-2022 09:38
General
-
Target
a06603e7b38c94a412964efcdf34b3d5bbbad837459137f656094441218fcbde.exe
-
Size
49KB
-
MD5
24b4d88706c406e590165b4610eb03ed
-
SHA1
4fd9600a00d7e894474a8f8161717c8f1dd6e890
-
SHA256
a06603e7b38c94a412964efcdf34b3d5bbbad837459137f656094441218fcbde
-
SHA512
61158e62b24f5e439076f5a6919388a06b4fd6450f0802d61611ddebc11086e9b131115feaf688563ce9e25b9816e3727f9f76a9be1cc4e7f173b09363c8ba07
-
SSDEEP
768:p4gWknHb7kMW0PMowfuZ5L3jcTjfKZKfgm3EhePHgtXx3/ThaaV:p4gaME1yL3jcTLF7EcPHgth3/3V
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/877528061078278187/nHQ5HimIuHl8y3vYo0-_FPULqqY3ROm2Urf3-blMoEAl_Hty9RJmxZyXEgkxeIu8aCL-
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a06603e7b38c94a412964efcdf34b3d5bbbad837459137f656094441218fcbde.exe"C:\Users\Admin\AppData\Local\Temp\a06603e7b38c94a412964efcdf34b3d5bbbad837459137f656094441218fcbde.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1824 -s 14522⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-54-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/1944-55-0x0000000000000000-mapping.dmp