mercurialgrabber | 8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028

System Information Discovery

Processes:

4e6984054c17293752f8d11ccac45e70.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4e6984054c17293752f8d11ccac45e70.exe

Drops startup file 2 IoCs

Processes:

Windows Defender.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows Defender.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip4.seeip.org
24 ip-api.com

flow	ioc
8	ip4.seeip.org
24	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2684 4988 WerFault.exe output.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe

pid	pid_target	process	target process
2684	4988	WerFault.exe	output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1920 timeout.exe
3068 timeout.exe
4452 timeout.exe
2732 timeout.exe
4276 timeout.exe

pid	process
1920	timeout.exe
3068	timeout.exe
4452	timeout.exe
2732	timeout.exe
4276	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4500 powershell.exe
4500 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Defender.exe

pid process

2268 Windows Defender.exe

pid	process
4500	powershell.exe
4500	powershell.exe

pid	process
2268	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

output.exepowershell.exeWindows Defender.exe

description	pid	process
Token: SeDebugPrivilege	4988	output.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe
Token: 33	2268	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	2268	Windows Defender.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

4e6984054c17293752f8d11ccac45e70.execmd.exeWindows Defender.exe

description	pid	process	target process
PID 2544 wrote to memory of 4500	2544	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 2544 wrote to memory of 4500	2544	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 2544 wrote to memory of 4500	2544	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 2544 wrote to memory of 4988	2544	4e6984054c17293752f8d11ccac45e70.exe	output.exe
PID 2544 wrote to memory of 4988	2544	4e6984054c17293752f8d11ccac45e70.exe	output.exe
PID 2544 wrote to memory of 2268	2544	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 2544 wrote to memory of 2268	2544	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 2544 wrote to memory of 2268	2544	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 2544 wrote to memory of 832	2544	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 2544 wrote to memory of 832	2544	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 2544 wrote to memory of 832	2544	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 832 wrote to memory of 4004	832	cmd.exe	chcp.com
PID 832 wrote to memory of 4004	832	cmd.exe	chcp.com
PID 832 wrote to memory of 4004	832	cmd.exe	chcp.com
PID 832 wrote to memory of 3668	832	cmd.exe	mode.com
PID 832 wrote to memory of 3668	832	cmd.exe	mode.com
PID 832 wrote to memory of 3668	832	cmd.exe	mode.com
PID 832 wrote to memory of 4452	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 4452	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 4452	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2732	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2732	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2732	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 4276	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 4276	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 4276	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1920	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1920	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1920	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 3068	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 3068	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 3068	832	cmd.exe	timeout.exe
PID 2268 wrote to memory of 4580	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 4580	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 4580	2268	Windows Defender.exe	netsh.exe
PID 832 wrote to memory of 1276	832	cmd.exe	mode.com
PID 832 wrote to memory of 1276	832	cmd.exe	mode.com
PID 832 wrote to memory of 1276	832	cmd.exe	mode.com
PID 2268 wrote to memory of 3184	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 3184	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 3184	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 4852	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 4852	2268	Windows Defender.exe	netsh.exe
PID 2268 wrote to memory of 4852	2268	Windows Defender.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe
"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Users\Admin\AppData\Local\Temp\output.exe
"C:\Users\Admin\AppData\Local\Temp\output.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4988 -s 2036
3⤵
- Program crash
PID:2684

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4580

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
3⤵
- Modifies Windows Firewall
PID:3184

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4004

C:\Windows\SysWOW64\mode.com
mode 80,15
3⤵
PID:3668

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4452

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:4276

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1920

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3068

C:\Windows\SysWOW64\mode.com
mode 130,30
3⤵
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

8

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

7

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service