mercurialgrabber | 8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028

System Information Discovery

Processes:

4e6984054c17293752f8d11ccac45e70.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4e6984054c17293752f8d11ccac45e70.exe

Drops startup file 2 IoCs

Processes:

Windows Defender.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows Defender.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip4.seeip.org
12 ip-api.com
10 ip4.seeip.org

flow	ioc
11	ip4.seeip.org
12	ip-api.com
10	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4648 4704 WerFault.exe output.exe
3836 4704 WerFault.exe output.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe

pid	pid_target	process	target process
4648	4704	WerFault.exe	output.exe
3836	4704	WerFault.exe	output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3764 timeout.exe
3644 timeout.exe
3572 timeout.exe
3160 timeout.exe
4324 timeout.exe

pid	process
3764	timeout.exe
3644	timeout.exe
3572	timeout.exe
3160	timeout.exe
4324	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4252 powershell.exe
4252 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Defender.exe

pid process

5028 Windows Defender.exe

pid	process
4252	powershell.exe
4252	powershell.exe

pid	process
5028	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

output.exepowershell.exeWindows Defender.exe

description	pid	process
Token: SeDebugPrivilege	4704	output.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe
Token: 33	5028	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	5028	Windows Defender.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

4e6984054c17293752f8d11ccac45e70.execmd.exeWindows Defender.exeoutput.exe

description	pid	process	target process
PID 4916 wrote to memory of 4252	4916	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 4916 wrote to memory of 4252	4916	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 4916 wrote to memory of 4252	4916	4e6984054c17293752f8d11ccac45e70.exe	powershell.exe
PID 4916 wrote to memory of 4704	4916	4e6984054c17293752f8d11ccac45e70.exe	output.exe
PID 4916 wrote to memory of 4704	4916	4e6984054c17293752f8d11ccac45e70.exe	output.exe
PID 4916 wrote to memory of 5028	4916	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 4916 wrote to memory of 5028	4916	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 4916 wrote to memory of 5028	4916	4e6984054c17293752f8d11ccac45e70.exe	Windows Defender.exe
PID 4916 wrote to memory of 1324	4916	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 4916 wrote to memory of 1324	4916	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 4916 wrote to memory of 1324	4916	4e6984054c17293752f8d11ccac45e70.exe	cmd.exe
PID 1324 wrote to memory of 4040	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 4040	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 4040	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 1064	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 1064	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 1064	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 4324	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 4324	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 4324	1324	cmd.exe	timeout.exe
PID 5028 wrote to memory of 4408	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 4408	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 4408	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 776	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 776	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 776	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 332	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 332	5028	Windows Defender.exe	netsh.exe
PID 5028 wrote to memory of 332	5028	Windows Defender.exe	netsh.exe
PID 1324 wrote to memory of 3764	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3764	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3764	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3644	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3644	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3644	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3572	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3572	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3572	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3160	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3160	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 3160	1324	cmd.exe	timeout.exe
PID 1324 wrote to memory of 4224	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 4224	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 4224	1324	cmd.exe	mode.com
PID 4704 wrote to memory of 4648	4704	output.exe	WerFault.exe
PID 4704 wrote to memory of 4648	4704	output.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe
"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Users\Admin\AppData\Local\Temp\output.exe
"C:\Users\Admin\AppData\Local\Temp\output.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4704 -s 1936
3⤵
- Program crash
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4704 -s 1936
3⤵
- Program crash
PID:3836

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4408

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
3⤵
- Modifies Windows Firewall
PID:776

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4040

C:\Windows\SysWOW64\mode.com
mode 80,15
3⤵
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4324

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3764

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3644

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3572

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3160

C:\Windows\SysWOW64\mode.com
mode 130,30
3⤵
PID:4224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4704 -ip 4704
1⤵
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

8

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

7

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service