Malware Analysis Report

2024-11-30 15:56

Sample ID 221220-bqnchsge45
Target ez panel v1.00.exe
SHA256 29d15fe37016d36b92515e8fa662e4716fbceb997f8fc4953ccf44f3044751f8
Tags
mercurialgrabber evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29d15fe37016d36b92515e8fa662e4716fbceb997f8fc4953ccf44f3044751f8

Threat Level: Known bad

The file ez panel v1.00.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber evasion spyware stealer

Mercurialgrabber family

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Reads user/profile data of web browsers

Checks BIOS information in registry

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Program crash

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 01:21

Signatures

Mercurialgrabber family

mercurialgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 01:21

Reported

2022-12-20 01:23

Platform

win7-20220901-en

Max time kernel

44s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe C:\Windows\system32\WerFault.exe
PID 1056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe C:\Windows\system32\WerFault.exe
PID 1056 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe

"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1056 -s 1184

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.135.232:443 discord.com tcp

Files

memory/1056-54-0x00000000012D0000-0x0000000001304000-memory.dmp

memory/1964-55-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 01:21

Reported

2022-12-20 01:23

Platform

win10v2004-20220812-en

Max time kernel

87s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe

"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 4460 -ip 4460

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4460 -s 1832

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.136.232:443 discord.com tcp
N/A 40.79.141.153:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.220.29:80 tcp

Files

memory/4460-132-0x0000000000460000-0x0000000000494000-memory.dmp

memory/4460-133-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/4460-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp