Analysis Overview
SHA256
29d15fe37016d36b92515e8fa662e4716fbceb997f8fc4953ccf44f3044751f8
Threat Level: Known bad
The file ez panel v1.00.exe was found to be: Known bad.
Malicious Activity Summary
Mercurialgrabber family
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Reads user/profile data of web browsers
Checks BIOS information in registry
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Program crash
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-20 01:21
Signatures
Mercurialgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 01:21
Reported
2022-12-20 01:23
Platform
win7-20220901-en
Max time kernel
44s
Max time network
48s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | C:\Windows\system32\WerFault.exe |
| PID 1056 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | C:\Windows\system32\WerFault.exe |
| PID 1056 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe
"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1056 -s 1184
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.135.232:443 | discord.com | tcp |
Files
memory/1056-54-0x00000000012D0000-0x0000000001304000-memory.dmp
memory/1964-55-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-20 01:21
Reported
2022-12-20 01:23
Platform
win10v2004-20220812-en
Max time kernel
87s
Max time network
141s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe
"C:\Users\Admin\AppData\Local\Temp\ez panel v1.00.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4460 -ip 4460
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4460 -s 1832
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.136.232:443 | discord.com | tcp |
| N/A | 40.79.141.153:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/4460-132-0x0000000000460000-0x0000000000494000-memory.dmp
memory/4460-133-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4460-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp