Malware Analysis Report

2024-11-30 15:54

Sample ID 221213-jv3a8sgh91
Target SynapseXCracked.exe
SHA256 016e468dcb9c8b349ea88e51564c90414e6f9dbab669d4664160fd252d6c7709
Tags
mercurialgrabber evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

016e468dcb9c8b349ea88e51564c90414e6f9dbab669d4664160fd252d6c7709

Threat Level: Known bad

The file SynapseXCracked.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber evasion spyware stealer

Mercurialgrabber family

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Program crash

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-13 08:00

Signatures

Mercurialgrabber family

mercurialgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-13 08:00

Reported

2022-12-13 08:02

Platform

win10-20220901-en

Max time kernel

52s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseXCracked.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4580 -s 1760

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\TestRegister.fon

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\TestRegister.fon

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.136.232:443 discord.com tcp
N/A 20.189.173.5:443 tcp
N/A 178.79.208.1:80 tcp

Files

memory/4580-117-0x00000000002B0000-0x00000000002C0000-memory.dmp