stormkitty | hxxps://mega[.]nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28

General

Target

https://mega.nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\MercurialGrabber.exe	family_stormkitty
C:\Users\Admin\Downloads\MercurialGrabber.exe	family_stormkitty
behavioral1/memory/2296-122-0x0000000000240000-0x00000000003C0000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

Processes:

MercurialGrabber.exe

pid process

2296 MercurialGrabber.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

83 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2296	MercurialGrabber.exe

flow	ioc
83	checkip.dyndns.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4692 PING.EXE

pid	process
4692	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3448	chrome.exe
3448	chrome.exe
2760	chrome.exe
2760	chrome.exe
2248	chrome.exe
2248	chrome.exe
4744	chrome.exe
4744	chrome.exe
3792	chrome.exe
3792	chrome.exe
4784	chrome.exe
4784	chrome.exe
1916	chrome.exe
1916	chrome.exe
548	chrome.exe
548	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2760 chrome.exe
2760 chrome.exe
2760 chrome.exe
2760 chrome.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEMercurialGrabber.exe

description pid process

Token: 33 5096 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5096 AUDIODG.EXE
Token: SeDebugPrivilege 2296 MercurialGrabber.exe

description	pid	process
Token: 33	5096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5096	AUDIODG.EXE
Token: SeDebugPrivilege	2296	MercurialGrabber.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe
2760	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2760 wrote to memory of 3328	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3328	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3400	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3448	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 3448	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe
PID 2760 wrote to memory of 4192	2760	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc436e4f50,0x7ffc436e4f60,0x7ffc436e4f70
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4464 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5208 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1500,8309140033615129879,5547870571766875416,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:944

C:\Users\Admin\Downloads\MercurialGrabber.exe
"C:\Users\Admin\Downloads\MercurialGrabber.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
PID:4580

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3688

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:4900

C:\Windows\system32\findstr.exe
findstr All
3⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
2⤵
PID:1992

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3244

C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
3⤵
PID:3276

C:\Windows\system32\findstr.exe
findstr Key
3⤵
PID:4728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Downloads\MercurialGrabber.exe"
2⤵
PID:4540

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
1738288acdbce44e5fa3e2cefc4d3c3f

SHA1
52e02275a4c2558ec69dc71e4a0f6b6f63f7a40b

SHA256
61e9463bfebc243a199503ea0be38cdaa716222f04e2da430476e4009327b131

SHA512
1f6e8ec1c315d7c0999a34be2416c6801b06a81ed95cc997f382dda81f140d2f77f19d3a35a3596107b1397c7765addf8a0134567f9df2bc945da6094d9c0659

Download Submit
C:\Users\Admin\Downloads\MercurialGrabber.exe
Filesize
1.5MB

MD5
d37d9c9be442ccd0c5bfed73ffe498bb

SHA1
7eeb76954589ba1e6d06774eaf33c130d8bf9097

SHA256
c1c6e41bcd2493bab8c1907b2788b3d70daca87f48ffa29411ffde032330688f

SHA512
669ec75cae38cf212d84e654857dc1c89845307ae8ed097a57dc2e83729a37715e696c5f64a8e8f2e2bb6a3a99f0305a44b0f46f580ec966a4dfdf4ca586c7ba

Download Submit
C:\Users\Admin\Downloads\MercurialGrabber.exe
Filesize
1.5MB

MD5
d37d9c9be442ccd0c5bfed73ffe498bb

SHA1
7eeb76954589ba1e6d06774eaf33c130d8bf9097

SHA256
c1c6e41bcd2493bab8c1907b2788b3d70daca87f48ffa29411ffde032330688f

SHA512
669ec75cae38cf212d84e654857dc1c89845307ae8ed097a57dc2e83729a37715e696c5f64a8e8f2e2bb6a3a99f0305a44b0f46f580ec966a4dfdf4ca586c7ba

Download Submit
\??\pipe\crashpad_2760_RAQBMHYKINBDFVGW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1992-130-0x0000000000000000-mapping.dmp

Download
memory/2296-122-0x0000000000240000-0x00000000003C0000-memory.dmp

Filesize
1.5MB

Download
memory/2296-123-0x00000000022D0000-0x00000000022DA000-memory.dmp

Filesize
40KB

Download
memory/2296-124-0x000000001AEA0000-0x000000001AEBA000-memory.dmp

Filesize
104KB

Download
memory/2296-135-0x000000001D530000-0x000000001D56E000-memory.dmp

Filesize
248KB

Download
memory/2296-134-0x000000001C190000-0x000000001C1A2000-memory.dmp

Filesize
72KB

Download
memory/3244-131-0x0000000000000000-mapping.dmp

Download
memory/3276-132-0x0000000000000000-mapping.dmp

Download
memory/3520-129-0x0000000000000000-mapping.dmp

Download
memory/3688-127-0x0000000000000000-mapping.dmp

Download
memory/4540-136-0x0000000000000000-mapping.dmp

Download
memory/4580-126-0x0000000000000000-mapping.dmp

Download
memory/4692-137-0x0000000000000000-mapping.dmp

Download
memory/4728-133-0x0000000000000000-mapping.dmp

Download
memory/4900-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads