mercurialgrabber | f4fcee629d0cff0f3ef2293353bd65945f5d022872692084a2070a2be45b6955

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitro Generator.exe
Size

42KB
MD5

f876e8abb41050c1804a7a27472539f6
SHA1

e43ac116f0960c99d9f99d4f07c1f39adc3788f1
SHA256

f4fcee629d0cff0f3ef2293353bd65945f5d022872692084a2070a2be45b6955
SHA512

3bdd94636d7732b2714b08d92bb84850e69222f470ba34f3c82771d81b79ddc9b85419c1c4458c767f72719bedfaf2e7548835e28d1499292e77d207ffea10e9
SSDEEP

768:NiSbjAuRHCBuZMhLfvTjMLKZKfgm3Ehat:Nt9RHCrLfvTYLF7EAt

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1025859706373296138/RTELJNdCxYhdj6ZzM2cwNuXYgqUFjRz_CmoH5uJORXdkYOcKOXWAB79omPP_FUG0WzNG

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Nitro Generator.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Nitro Generator.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Nitro Generator.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Nitro Generator.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Nitro Generator.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nitro Generator.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Nitro Generator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Nitro Generator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Nitro Generator.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Nitro Generator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Nitro Generator.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Nitro Generator.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 864 WerFault.exe Nitro Generator.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Nitro Generator.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Nitro Generator.exe

pid	pid_target	process	target process
2008	864	WerFault.exe	Nitro Generator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Nitro Generator.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nitro Generator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Nitro Generator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Nitro Generator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Nitro Generator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Nitro Generator.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Nitro Generator.exe

description pid process

Token: SeDebugPrivilege 864 Nitro Generator.exe

description	pid	process
Token: SeDebugPrivilege	864	Nitro Generator.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Nitro Generator.exe

description	pid	process	target process
PID 864 wrote to memory of 2008	864	Nitro Generator.exe	WerFault.exe
PID 864 wrote to memory of 2008	864	Nitro Generator.exe	WerFault.exe
PID 864 wrote to memory of 2008	864	Nitro Generator.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 864 -s 1216
2⤵
- Program crash
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-54-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download