mercurialgrabber | 708b43bf82bcdfbb1e69e7304e9cebc6d93f1bf41f323ea324a2680439a65059

Resubmissions

20-09-2022 07:09

220920-hzaw4scbh8 10

Analysis

max time kernel
19s
max time network
18s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-09-2022 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamesense.exe
Size

42KB
MD5

6448b01d93a9e5a9742c502bc55a5fa6
SHA1

c6370a76f787c5e00f3285661e48ec2d119ceb61
SHA256

708b43bf82bcdfbb1e69e7304e9cebc6d93f1bf41f323ea324a2680439a65059
SHA512

73bba2a50fc6f2e867f031d0fed87b943c9d912827e44f5fd02e6f7b54e389f5fbd9237f1c26aeab08bac09df1ad0c49265779f07bc31ca9b789bbb8d960d710
SSDEEP

384:/EKq4RXR2iYeQj15jRMdRRSgxfYTxUs/XZxIh/3oJEFq5nmtjTAsQKQsLd/SfgUf://ErORMfiuZBLUjTjQKZKfgm3EhBA

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/988865232166342696/iJ0tnhVZRP1yseNXNTzXGYDaQXwQjFYvvlHL82pQJvxCF1Jo0Ew-qVlBfQ-LpAf_17JJ

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

gamesense.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions gamesense.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

gamesense.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools gamesense.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

gamesense.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gamesense.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip4.seeip.org
3 ip4.seeip.org
4 ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	gamesense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	gamesense.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gamesense.exe

flow	ioc
2	ip4.seeip.org
3	ip4.seeip.org
4	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gamesense.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	gamesense.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	gamesense.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

gamesense.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S gamesense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	gamesense.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gamesense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	gamesense.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamesense.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

gamesense.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	gamesense.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	gamesense.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	gamesense.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	gamesense.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gamesense.exe

description pid process

Token: SeDebugPrivilege 2432 gamesense.exe

description	pid	process
Token: SeDebugPrivilege	2432	gamesense.exe

C:\Users\Admin\AppData\Local\Temp\gamesense.exe
"C:\Users\Admin\AppData\Local\Temp\gamesense.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\UninstallConvertTo.xltx"
1⤵
PID:4780