a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
138s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/MercuryXhoffle.exe
Size

6.0MB
MD5

f72d4ee1ff7439bda08ce89b606a6f08
SHA1

40673463d8fe4ac1b53c5e35642e6a67fe252c41
SHA256

15bd99bd0c7c8a7c5836e687db2d7eded6195491df7e5f04633e33e66ae8361c
SHA512

c8b3b3ee73de22492e1455bc68405924861ff2814ff2bcf627df04712f33d30d3e63a3835f8b6b41bd254269e22c4da6d655fb718d6b4e97c9a2706ff8040976
SSDEEP

98304:lgJZv2O7hzxNA5P7Mb5mXHMDU+WDwL0ubziP7Us8F2m5rylw/ViFkfGOzNL3kz3f:OJ92OH6Zwb58wU+WDFFu2XlwXGKNLEjr

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

MercuryXhoffle.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	MercuryXhoffle.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

bootrec.exe

pid process

1812 bootrec.exe

pid	process
1812	bootrec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MercuryXhoffle.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MercuryXhoffle.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bootrec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	bootrec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bootrec.exe"	bootrec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

bootrec.exe

description ioc process

File opened for modification \??\PhysicalDrive0 bootrec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1424 1648 WerFault.exe MercuryXhoffle.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	bootrec.exe

pid	pid_target	process	target process
1424	1648	WerFault.exe	MercuryXhoffle.exe

pid	process
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MercuryXhoffle.exe

pid	process
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

MercuryXhoffle.exeAUDIODG.EXEdw20.exe

description	pid	process
Token: SeDebugPrivilege	1648	MercuryXhoffle.exe
Token: SeDebugPrivilege	1648	MercuryXhoffle.exe
Token: 33	116	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	116	AUDIODG.EXE
Token: SeBackupPrivilege	1144	dw20.exe
Token: SeBackupPrivilege	1144	dw20.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

MercuryXhoffle.exe

pid	process
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe
1648	MercuryXhoffle.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MercuryXhoffle.exebootrec.exe

description	pid	process	target process
PID 1648 wrote to memory of 1812	1648	MercuryXhoffle.exe	bootrec.exe
PID 1648 wrote to memory of 1812	1648	MercuryXhoffle.exe	bootrec.exe
PID 1648 wrote to memory of 1812	1648	MercuryXhoffle.exe	bootrec.exe
PID 1812 wrote to memory of 2016	1812	bootrec.exe	schtasks.exe
PID 1812 wrote to memory of 2016	1812	bootrec.exe	schtasks.exe
PID 1812 wrote to memory of 2016	1812	bootrec.exe	schtasks.exe
PID 1648 wrote to memory of 1144	1648	MercuryXhoffle.exe	dw20.exe
PID 1648 wrote to memory of 1144	1648	MercuryXhoffle.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\bootrec.exe
"C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
3⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2160
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1648 -s 2324
2⤵
- Program crash
PID:1424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x380
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1648 -ip 1648
1⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bootrec.exe
Filesize
167KB

MD5
f14b989516f256db1befee3dee508f55

SHA1
fbd2c6b1d783debb9a69c5766d3672138e24e127

SHA256
c88dbbd0002395beaeaef3f855790abef3430d76307953825745339bdc1f9388

SHA512
bfa84b7837d3bcda55571710289092af7e6cb7ee48b21a2a032d24b495ddbe9259c07eeceb58fb2a5ac4482e2b120259fe5b95162eb632228c86516f41bf035e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bootrec.exe
Filesize
167KB

MD5
f14b989516f256db1befee3dee508f55

SHA1
fbd2c6b1d783debb9a69c5766d3672138e24e127

SHA256
c88dbbd0002395beaeaef3f855790abef3430d76307953825745339bdc1f9388

SHA512
bfa84b7837d3bcda55571710289092af7e6cb7ee48b21a2a032d24b495ddbe9259c07eeceb58fb2a5ac4482e2b120259fe5b95162eb632228c86516f41bf035e

Download Submit
memory/1144-213-0x0000000000000000-mapping.dmp

Download
memory/1648-168-0x0000000020C51000-0x0000000020C58000-memory.dmp

Filesize
28KB

Download
memory/1648-149-0x0000000020C80000-0x0000000020C89000-memory.dmp

Filesize
36KB

Download
memory/1648-139-0x0000000020C50000-0x0000000020C54000-memory.dmp

Filesize
16KB

Download
memory/1648-138-0x00000000016B9000-0x00000000016BF000-memory.dmp

Filesize
24KB

Download
memory/1648-140-0x0000000020C50000-0x0000000020C54000-memory.dmp

Filesize
16KB

Download
memory/1648-141-0x0000000020C54000-0x0000000020C57000-memory.dmp

Filesize
12KB

Download
memory/1648-143-0x0000000020C5A000-0x0000000020C5F000-memory.dmp

Filesize
20KB

Download
memory/1648-167-0x0000000020C51000-0x0000000020C69000-memory.dmp

Filesize
96KB

Download
memory/1648-142-0x0000000020C57000-0x0000000020C5A000-memory.dmp

Filesize
12KB

Download
memory/1648-145-0x0000000020C64000-0x0000000020C69000-memory.dmp

Filesize
20KB

Download
memory/1648-146-0x0000000020C69000-0x0000000020C6E000-memory.dmp

Filesize
20KB

Download
memory/1648-147-0x0000000020C6E000-0x0000000020C77000-memory.dmp

Filesize
36KB

Download
memory/1648-148-0x0000000020C77000-0x0000000020C80000-memory.dmp

Filesize
36KB

Download
memory/1648-169-0x0000000020C72000-0x0000000020C81000-memory.dmp

Filesize
60KB

Download
memory/1648-150-0x00000000016B9000-0x00000000016BE000-memory.dmp

Filesize
20KB

Download
memory/1648-151-0x0000000020C51000-0x0000000020C69000-memory.dmp

Filesize
96KB

Download
memory/1648-152-0x0000000020C72000-0x0000000020C81000-memory.dmp

Filesize
60KB

Download
memory/1648-170-0x0000000020C5A000-0x0000000020C69000-memory.dmp

Filesize
60KB

Download
memory/1648-154-0x0000000020C81000-0x0000000020C91000-memory.dmp

Filesize
64KB

Download
memory/1648-156-0x0000000020C57000-0x0000000020C5A000-memory.dmp

Filesize
12KB

Download
memory/1648-158-0x0000000020C5F000-0x0000000020C64000-memory.dmp

Filesize
20KB

Download
memory/1648-157-0x0000000020C5A000-0x0000000020C5F000-memory.dmp

Filesize
20KB

Download
memory/1648-155-0x0000000020C54000-0x0000000020C57000-memory.dmp

Filesize
12KB

Download
memory/1648-159-0x0000000020C51000-0x0000000020C54000-memory.dmp

Filesize
12KB

Download
memory/1648-160-0x0000000020C64000-0x0000000020C69000-memory.dmp

Filesize
20KB

Download
memory/1648-161-0x0000000020C54000-0x0000000020C69000-memory.dmp

Filesize
84KB

Download
memory/1648-162-0x0000000020C6E000-0x0000000020C77000-memory.dmp

Filesize
36KB

Download
memory/1648-163-0x0000000020C77000-0x0000000020C80000-memory.dmp

Filesize
36KB

Download
memory/1648-164-0x0000000020C80000-0x0000000020C89000-memory.dmp

Filesize
36KB

Download
memory/1648-165-0x00000000016B9000-0x00000000016BC000-memory.dmp

Filesize
12KB

Download
memory/1648-166-0x0000000020C81000-0x0000000020C91000-memory.dmp

Filesize
64KB

Download
memory/1648-132-0x00007FFB914B0000-0x00007FFB91EE6000-memory.dmp

Filesize
10.2MB

Download
memory/1648-144-0x0000000020C5F000-0x0000000020C64000-memory.dmp

Filesize
20KB

Download
memory/1648-137-0x00000000016B9000-0x00000000016BF000-memory.dmp

Filesize
24KB

Download
memory/1648-153-0x00000000016B9000-0x00000000016BE000-memory.dmp

Filesize
20KB

Download
memory/1648-171-0x0000000020C69000-0x0000000020C78000-memory.dmp

Filesize
60KB

Download
memory/1648-172-0x00000000016B9000-0x00000000016BE000-memory.dmp

Filesize
20KB

Download
memory/1648-173-0x0000000020C81000-0x0000000020C91000-memory.dmp

Filesize
64KB

Download
memory/1648-174-0x0000000020C51000-0x0000000020C54000-memory.dmp

Filesize
12KB

Download
memory/1648-175-0x0000000020C54000-0x0000000020C69000-memory.dmp

Filesize
84KB

Download
memory/1648-176-0x0000000020C75000-0x0000000020C78000-memory.dmp

Filesize
12KB

Download
memory/1648-177-0x0000000020C83000-0x0000000020C91000-memory.dmp

Filesize
56KB

Download
memory/1648-178-0x00000000016B9000-0x00000000016BC000-memory.dmp

Filesize
12KB

Download
memory/1648-179-0x0000000020C51000-0x0000000020C58000-memory.dmp

Filesize
28KB

Download
memory/1648-180-0x0000000020C5A000-0x0000000020C69000-memory.dmp

Filesize
60KB

Download
memory/1648-181-0x0000000020C69000-0x0000000020C78000-memory.dmp

Filesize
60KB

Download
memory/1648-182-0x0000000020C83000-0x0000000020C91000-memory.dmp

Filesize
56KB

Download
memory/1648-183-0x0000000020C75000-0x0000000020C7A000-memory.dmp

Filesize
20KB

Download
memory/1648-184-0x0000000020C83000-0x0000000020C91000-memory.dmp

Filesize
56KB

Download
memory/1648-185-0x0000000020C51000-0x0000000020C54000-memory.dmp

Filesize
12KB

Download
memory/1648-186-0x0000000020C5A000-0x0000000020C5D000-memory.dmp

Filesize
12KB

Download
memory/1648-187-0x0000000020C5D000-0x0000000020C6C000-memory.dmp

Filesize
60KB

Download
memory/1648-189-0x00000000016BB000-0x00000000016BE000-memory.dmp

Filesize
12KB

Download
memory/1648-188-0x0000000020C69000-0x0000000020C6C000-memory.dmp

Filesize
12KB

Download
memory/1648-190-0x0000000020C51000-0x0000000020C60000-memory.dmp

Filesize
60KB

Download
memory/1648-191-0x0000000020C83000-0x0000000020C91000-memory.dmp

Filesize
56KB

Download
memory/1648-192-0x0000000020C75000-0x0000000020C91000-memory.dmp

Filesize
112KB

Download
memory/1648-193-0x0000000020C51000-0x0000000020C54000-memory.dmp

Filesize
12KB

Download
memory/1648-195-0x0000000020C5A000-0x0000000020C5D000-memory.dmp

Filesize
12KB

Download
memory/1648-196-0x0000000020C5D000-0x0000000020C6C000-memory.dmp

Filesize
60KB

Download
memory/1648-194-0x0000000020C59000-0x0000000020C5C000-memory.dmp

Filesize
12KB

Download
memory/1648-197-0x00000000016BB000-0x00000000016BE000-memory.dmp

Filesize
12KB

Download
memory/1648-198-0x0000000020C51000-0x0000000020C60000-memory.dmp

Filesize
60KB

Download
memory/1648-199-0x0000000020C75000-0x0000000020C88000-memory.dmp

Filesize
76KB

Download
memory/1648-200-0x0000000020C87000-0x0000000020C91000-memory.dmp

Filesize
40KB

Download
memory/1812-133-0x0000000000000000-mapping.dmp

Download
memory/2016-136-0x0000000000000000-mapping.dmp

Download