Overview

overview

10

Static

static

1ea3b43e8a...d5.exe

windows7-x64

10

1ea3b43e8a...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ea3b43e8a8ce761479e26f94ccf9bd5.exe

  • Size

    8.8MB

  • MD5

    1ea3b43e8a8ce761479e26f94ccf9bd5

  • SHA1

    5936e36c3dd39216803c72e0841da6f6df256291

  • SHA256

    5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b

  • SHA512

    c3bfcb88839ee2d3eedda32fbdd72dbc6b29ccf8217a265eb3edd19a0b4259a273343035296ac8b34d72bcdcd28697dee509107eb99f8cd6a59bb046dbee4e59

  • SSDEEP

    196608:dCdbOITPSUUpIS9u/pRDXvQhAJ4TsHhGgXZQWYhr5bi:WjTPlcI1XDXv8A2TsBGgX

Score
10/10
matiexmercurialgrabbercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/835255995735343134/XNe_EsIHeOwVdqPUaV7pv4uxkib5RHnv_Tn6JCr4hEBupeIfyQN2tRINJsXKij_tI_Ec

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main payload 3 IoCs
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe
    "C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
      "C:\Users\Admin\AppData\Local\Temp\msvcp140.exe"
      2⤵
      • Executes dropped EXE
      PID:4912
    • C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
      "C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3296
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3296 -s 2052
        3⤵
        • Program crash
        PID:4228
    • C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
      "C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 2144
        3⤵
        • Program crash
        PID:4704
    • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
      "C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 100
        3⤵
        • Runs ping.exe
        PID:2124
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 900
        3⤵
        • Runs ping.exe
        PID:1504
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 740 -ip 740
    1⤵
      PID:2356
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 428 -p 3296 -ip 3296
      1⤵
        PID:2464

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
        Filesize

        448KB

        MD5

        78942c6e318b0c460c37069695742d4a

        SHA1

        fc31e2c1887f95d19d8331ff0945688c7fec32c5

        SHA256

        c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

        SHA512

        0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
        Filesize

        448KB

        MD5

        78942c6e318b0c460c37069695742d4a

        SHA1

        fc31e2c1887f95d19d8331ff0945688c7fec32c5

        SHA256

        c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

        SHA512

        0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
        Filesize

        8.7MB

        MD5

        13e5efd3938a8fedcfb0820e5593dc4e

        SHA1

        3376481dda6c0349a2a377a98434b30d9f2bde20

        SHA256

        e56c11e2ca383b47312ffe202c0fb7defb89bf8b303d67359a282f0a994ca92c

        SHA512

        d944adc95fc8230a11724e355ea8ac8ddfaf8373f5a7ab622ac9c7015bd1abb0aca64b9ead957f83994a73000cf2856f80bb61f944334d3b09b0de229d1452cd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
        Filesize

        8.7MB

        MD5

        13e5efd3938a8fedcfb0820e5593dc4e

        SHA1

        3376481dda6c0349a2a377a98434b30d9f2bde20

        SHA256

        e56c11e2ca383b47312ffe202c0fb7defb89bf8b303d67359a282f0a994ca92c

        SHA512

        d944adc95fc8230a11724e355ea8ac8ddfaf8373f5a7ab622ac9c7015bd1abb0aca64b9ead957f83994a73000cf2856f80bb61f944334d3b09b0de229d1452cd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
        Filesize

        8KB

        MD5

        324c2e555431e860fac2b2bfc04adb1d

        SHA1

        c1f4215f0452f1d96c92ee324bc2cef999294874

        SHA256

        cb2079641bb1bac84ed28836bb03817e09017553e412e26d166673459ad4c688

        SHA512

        07fac78b65341498eaea79e46bdeed74d516db58d66c03b6a5e7fb0ae5d99cf9d4255472fcfed13a14d3b2734b602f95e84796a761c5231a418a137d3fbdc500

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
        Filesize

        8KB

        MD5

        324c2e555431e860fac2b2bfc04adb1d

        SHA1

        c1f4215f0452f1d96c92ee324bc2cef999294874

        SHA256

        cb2079641bb1bac84ed28836bb03817e09017553e412e26d166673459ad4c688

        SHA512

        07fac78b65341498eaea79e46bdeed74d516db58d66c03b6a5e7fb0ae5d99cf9d4255472fcfed13a14d3b2734b602f95e84796a761c5231a418a137d3fbdc500

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
        Filesize

        41KB

        MD5

        458168047894c09ae76b0add79c7122d

        SHA1

        4e291744275e8e9006c15d03489e0b252592a817

        SHA256

        99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949

        SHA512

        fcdad8b12068cd6f1da8a6ab1cab610aa383a1f86aaf4523122e3ce0fd9ab7315fc6c239259860ab13dd83342c75c7aa18c997bc7eaefa445a77bdb7eb14ff61

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
        Filesize

        41KB

        MD5

        458168047894c09ae76b0add79c7122d

        SHA1

        4e291744275e8e9006c15d03489e0b252592a817

        SHA256

        99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949

        SHA512

        fcdad8b12068cd6f1da8a6ab1cab610aa383a1f86aaf4523122e3ce0fd9ab7315fc6c239259860ab13dd83342c75c7aa18c997bc7eaefa445a77bdb7eb14ff61

        Download Submit
      • memory/740-147-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/740-139-0x0000000000000000-mapping.dmp
        Download
      • memory/740-157-0x0000000005350000-0x00000000058F4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/740-159-0x0000000004E10000-0x0000000004E76000-memory.dmp
        Filesize

        408KB

        Download
      • memory/740-145-0x0000000000420000-0x0000000000496000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1168-151-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-160-0x0000000000000000-mapping.dmp
        Download
      • memory/1700-148-0x0000000000000000-mapping.dmp
        Download
      • memory/1700-154-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1700-161-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1700-152-0x0000000000520000-0x0000000000DDA000-memory.dmp
        Filesize

        8.7MB

        Download
      • memory/2124-156-0x0000000000000000-mapping.dmp
        Download
      • memory/3296-146-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3296-155-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3296-143-0x0000000000390000-0x00000000003A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3296-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3296-162-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3904-153-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3904-132-0x0000000000FD0000-0x00000000018A8000-memory.dmp
        Filesize

        8.8MB

        Download
      • memory/3904-158-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3904-133-0x00007FFAD99E0000-0x00007FFADA4A1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4912-144-0x0000000000B00000-0x0000000000B08000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4912-134-0x0000000000000000-mapping.dmp
        Download