Analysis
-
max time kernel
147s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 17:09
Behavioral task
behavioral1
Sample
0x000b00000001230f-61.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0x000b00000001230f-61.exe
Resource
win10v2004-20220812-en
General
-
Target
0x000b00000001230f-61.exe
-
Size
41KB
-
MD5
458168047894c09ae76b0add79c7122d
-
SHA1
4e291744275e8e9006c15d03489e0b252592a817
-
SHA256
99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949
-
SHA512
fcdad8b12068cd6f1da8a6ab1cab610aa383a1f86aaf4523122e3ce0fd9ab7315fc6c239259860ab13dd83342c75c7aa18c997bc7eaefa445a77bdb7eb14ff61
-
SSDEEP
768:TscG4ApfT6aSXpDXswouZkeiWTj/KZKfgm3EhzF:IcKfnSXceiWTbF7EJF
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/835255995735343134/XNe_EsIHeOwVdqPUaV7pv4uxkib5RHnv_Tn6JCr4hEBupeIfyQN2tRINJsXKij_tI_Ec
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip4.seeip.org 11 ip4.seeip.org 13 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2416 3616 WerFault.exe 0x000b00000001230f-61.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0x000b00000001230f-61.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 0x000b00000001230f-61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0x000b00000001230f-61.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0x000b00000001230f-61.exedescription pid process Token: SeDebugPrivilege 3616 0x000b00000001230f-61.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000b00000001230f-61.exe"C:\Users\Admin\AppData\Local\Temp\0x000b00000001230f-61.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3616 -s 19962⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 3616 -ip 36161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3616-132-0x00000000009C0000-0x00000000009D0000-memory.dmpFilesize
64KB
-
memory/3616-133-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmpFilesize
10.8MB
-
memory/3616-134-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmpFilesize
10.8MB
-
memory/3616-135-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmpFilesize
10.8MB