Analysis
-
max time kernel
160s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:20
Static task
static1
Behavioral task
behavioral1
Sample
4e6984054c17293752f8d11ccac45e70.exe
Resource
win7-20220812-en
General
-
Target
4e6984054c17293752f8d11ccac45e70.exe
-
Size
159KB
-
MD5
4e6984054c17293752f8d11ccac45e70
-
SHA1
96b45cc928488f23eb485ebd72f1276996c7f785
-
SHA256
8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
-
SHA512
978e885d724fd91553483a077979f940a9349e45fce08b4a39c5cac25a5a75e0dd27b166b4724be19a435beef780ad8f866787035944285222385623af1ce9a5
-
SSDEEP
3072:C6x5F6chV9MBOefbGEKr2fewpgsRMCo1pn2A3PM+:CK6u9p3EKbwhRMCkp
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1020039781461270569/vy0h8kS-gC86OffrPKkierhCOJQYdMCGfu4Dr7HRyL4VcCHEP6llcvNaOkPDg-SgwAnl
Extracted
njrat
0.7d
HacKed
Ni50Y3AuZXUubmdyb2suaW8Strik:MTM5OTI=
dcc8f8f212bdcee4931d8d1d2c481753
-
reg_key
dcc8f8f212bdcee4931d8d1d2c481753
-
splitter
|'|'|
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe -
Executes dropped EXE 2 IoCs
Processes:
output.exeWindows Defender.exepid process 4988 output.exe 2268 Windows Defender.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 4580 netsh.exe 3184 netsh.exe 4852 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4e6984054c17293752f8d11ccac45e70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4e6984054c17293752f8d11ccac45e70.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip4.seeip.org 24 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum output.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 output.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2684 4988 WerFault.exe output.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1920 timeout.exe 3068 timeout.exe 4452 timeout.exe 2732 timeout.exe 4276 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName output.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4500 powershell.exe 4500 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Defender.exepid process 2268 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
output.exepowershell.exeWindows Defender.exedescription pid process Token: SeDebugPrivilege 4988 output.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe Token: 33 2268 Windows Defender.exe Token: SeIncBasePriorityPrivilege 2268 Windows Defender.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
4e6984054c17293752f8d11ccac45e70.execmd.exeWindows Defender.exedescription pid process target process PID 2544 wrote to memory of 4500 2544 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 2544 wrote to memory of 4500 2544 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 2544 wrote to memory of 4500 2544 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 2544 wrote to memory of 4988 2544 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 2544 wrote to memory of 4988 2544 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 2544 wrote to memory of 2268 2544 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 2544 wrote to memory of 2268 2544 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 2544 wrote to memory of 2268 2544 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 2544 wrote to memory of 832 2544 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 2544 wrote to memory of 832 2544 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 2544 wrote to memory of 832 2544 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 832 wrote to memory of 4004 832 cmd.exe chcp.com PID 832 wrote to memory of 4004 832 cmd.exe chcp.com PID 832 wrote to memory of 4004 832 cmd.exe chcp.com PID 832 wrote to memory of 3668 832 cmd.exe mode.com PID 832 wrote to memory of 3668 832 cmd.exe mode.com PID 832 wrote to memory of 3668 832 cmd.exe mode.com PID 832 wrote to memory of 4452 832 cmd.exe timeout.exe PID 832 wrote to memory of 4452 832 cmd.exe timeout.exe PID 832 wrote to memory of 4452 832 cmd.exe timeout.exe PID 832 wrote to memory of 2732 832 cmd.exe timeout.exe PID 832 wrote to memory of 2732 832 cmd.exe timeout.exe PID 832 wrote to memory of 2732 832 cmd.exe timeout.exe PID 832 wrote to memory of 4276 832 cmd.exe timeout.exe PID 832 wrote to memory of 4276 832 cmd.exe timeout.exe PID 832 wrote to memory of 4276 832 cmd.exe timeout.exe PID 832 wrote to memory of 1920 832 cmd.exe timeout.exe PID 832 wrote to memory of 1920 832 cmd.exe timeout.exe PID 832 wrote to memory of 1920 832 cmd.exe timeout.exe PID 832 wrote to memory of 3068 832 cmd.exe timeout.exe PID 832 wrote to memory of 3068 832 cmd.exe timeout.exe PID 832 wrote to memory of 3068 832 cmd.exe timeout.exe PID 2268 wrote to memory of 4580 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 4580 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 4580 2268 Windows Defender.exe netsh.exe PID 832 wrote to memory of 1276 832 cmd.exe mode.com PID 832 wrote to memory of 1276 832 cmd.exe mode.com PID 832 wrote to memory of 1276 832 cmd.exe mode.com PID 2268 wrote to memory of 3184 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 3184 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 3184 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 4852 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 4852 2268 Windows Defender.exe netsh.exe PID 2268 wrote to memory of 4852 2268 Windows Defender.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\output.exe"C:\Users\Admin\AppData\Local\Temp\output.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4988 -s 20363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\mode.commode 80,153⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mode.commode 130,303⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4988 -ip 49881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\scam_woofer.batFilesize
19KB
MD54b4e566a986fe97ba2d89f9c64a24c64
SHA118bba3d5058b4b53fc99f9fba94110f4e8f8c2ea
SHA2562950d0e125c3d1d11be27388ca83ef5d3fbcd71e49c0ed4eb0e0373340707a97
SHA51232e39cbd0ba54cd1bcf25158774a44060d65bdeef9de0986be5267c3da229d8e743afaa67b98492172b7b59cd3fb0cf9e0c5dc149651a3518479ac8af677cee8
-
memory/832-143-0x0000000000000000-mapping.dmp
-
memory/1276-163-0x0000000000000000-mapping.dmp
-
memory/1920-160-0x0000000000000000-mapping.dmp
-
memory/2268-139-0x0000000000000000-mapping.dmp
-
memory/2268-150-0x0000000073B70000-0x0000000074121000-memory.dmpFilesize
5.7MB
-
memory/2268-158-0x0000000073B70000-0x0000000074121000-memory.dmpFilesize
5.7MB
-
memory/2732-156-0x0000000000000000-mapping.dmp
-
memory/3068-161-0x0000000000000000-mapping.dmp
-
memory/3184-164-0x0000000000000000-mapping.dmp
-
memory/3668-146-0x0000000000000000-mapping.dmp
-
memory/4004-145-0x0000000000000000-mapping.dmp
-
memory/4276-159-0x0000000000000000-mapping.dmp
-
memory/4452-151-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x0000000000000000-mapping.dmp
-
memory/4500-166-0x0000000006EE0000-0x0000000006F12000-memory.dmpFilesize
200KB
-
memory/4500-155-0x0000000005EB0000-0x0000000005ECE000-memory.dmpFilesize
120KB
-
memory/4500-176-0x00000000075D0000-0x00000000075D8000-memory.dmpFilesize
32KB
-
memory/4500-154-0x00000000058E0000-0x0000000005946000-memory.dmpFilesize
408KB
-
memory/4500-148-0x00000000051D0000-0x00000000057F8000-memory.dmpFilesize
6.2MB
-
memory/4500-152-0x0000000004F70000-0x0000000004F92000-memory.dmpFilesize
136KB
-
memory/4500-147-0x0000000002920000-0x0000000002956000-memory.dmpFilesize
216KB
-
memory/4500-172-0x00000000074B0000-0x0000000007546000-memory.dmpFilesize
600KB
-
memory/4500-171-0x0000000007290000-0x000000000729A000-memory.dmpFilesize
40KB
-
memory/4500-175-0x00000000075E0000-0x00000000075FA000-memory.dmpFilesize
104KB
-
memory/4500-170-0x0000000007220000-0x000000000723A000-memory.dmpFilesize
104KB
-
memory/4500-174-0x0000000007590000-0x000000000759E000-memory.dmpFilesize
56KB
-
memory/4500-153-0x0000000005870000-0x00000000058D6000-memory.dmpFilesize
408KB
-
memory/4500-167-0x00000000746C0000-0x000000007470C000-memory.dmpFilesize
304KB
-
memory/4500-168-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB
-
memory/4500-169-0x0000000007860000-0x0000000007EDA000-memory.dmpFilesize
6.5MB
-
memory/4580-162-0x0000000000000000-mapping.dmp
-
memory/4852-165-0x0000000000000000-mapping.dmp
-
memory/4988-157-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmpFilesize
10.8MB
-
memory/4988-173-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmpFilesize
10.8MB
-
memory/4988-136-0x0000000000000000-mapping.dmp
-
memory/4988-140-0x0000000000FC0000-0x0000000000FD0000-memory.dmpFilesize
64KB
-
memory/4988-149-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmpFilesize
10.8MB