Analysis Overview
SHA256
3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
Threat Level: Shows suspicious behavior
The file Mercurial-Grabber.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-19 18:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-19 18:25
Reported
2023-04-19 18:28
Platform
win7-20230220-en
Max time kernel
147s
Max time network
30s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
Network
Files
memory/2016-54-0x0000000001080000-0x00000000013BA000-memory.dmp
memory/2016-55-0x0000000000480000-0x000000000049C000-memory.dmp
memory/2016-56-0x0000000000700000-0x0000000000720000-memory.dmp
memory/2016-57-0x0000000000B80000-0x0000000000BA0000-memory.dmp
memory/2016-58-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/2016-59-0x0000000000BC0000-0x0000000000BD4000-memory.dmp
memory/2016-60-0x0000000000EA0000-0x0000000000F0E000-memory.dmp
memory/2016-61-0x0000000000C60000-0x0000000000C7E000-memory.dmp
memory/2016-62-0x0000000000F10000-0x0000000000F46000-memory.dmp
memory/2016-63-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-64-0x0000000000F50000-0x0000000000F5E000-memory.dmp
memory/2016-65-0x0000000000F60000-0x0000000000F6E000-memory.dmp
memory/2016-66-0x00000000050E0000-0x000000000522A000-memory.dmp
memory/2016-67-0x0000000005310000-0x0000000005426000-memory.dmp
memory/2016-68-0x0000000000F80000-0x0000000000FB0000-memory.dmp
memory/2016-69-0x00000000052F0000-0x00000000052F8000-memory.dmp
memory/2016-70-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-71-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-72-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-73-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-74-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-75-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-76-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-77-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-78-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-79-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2016-80-0x0000000000BE0000-0x0000000000C20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-19 18:25
Reported
2023-04-19 18:28
Platform
win10v2004-20230220-en
Max time kernel
104s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4324 wrote to memory of 968 | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 4324 wrote to memory of 968 | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 4324 wrote to memory of 968 | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 968 wrote to memory of 2432 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 968 wrote to memory of 2432 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 968 wrote to memory of 2432 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E6478494C104A058B5DEDDE7FF7AF9B.TMP"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2496
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.157.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 20.189.173.11:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | api.msn.com | tcp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4324-133-0x0000000000FA0000-0x00000000012DA000-memory.dmp
memory/4324-134-0x00000000064C0000-0x0000000006A64000-memory.dmp
memory/4324-135-0x0000000005C80000-0x0000000005D12000-memory.dmp
memory/4324-136-0x0000000005E30000-0x0000000005E3A000-memory.dmp
memory/4324-137-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-138-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-139-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-140-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-141-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-142-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-143-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-144-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-145-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-146-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-147-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-148-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-149-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-150-0x0000000005F00000-0x0000000005F10000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.cmdline
| MD5 | d4f273d5128364ea47db353763759e58 |
| SHA1 | e949e9fb598f06d0d1be3ee3f139cc4bc069f79a |
| SHA256 | dce740fbe8dfb80a9dd5a2bad83316fe359b00da59d682ec4728c4689a28304c |
| SHA512 | e22ce948325ec19aece42b18d6d2cc8389035cd7db47500426561faa99a5a0c60225b04a5be62934e30a00d0cb71647a1540e4bdcdb253bb077c3a3676618509 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.1.cs
| MD5 | 8aab1997664a604aca551b20202bfd14 |
| SHA1 | 279cf8f218069cbf4351518ad6df9a783ca34bc5 |
| SHA256 | 029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f |
| SHA512 | cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.2.cs
| MD5 | 6fdae9afc1f8e77e882f1ba6b5859a4e |
| SHA1 | 33eb96f75ffe9a1c4f94388e7465b997320265a5 |
| SHA256 | a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d |
| SHA512 | 97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.0.cs
| MD5 | 695daab2a5ad05eac6fabfdbfefb080a |
| SHA1 | fe9769b36bb56721bdfe48e8a4d6619be4588402 |
| SHA256 | c5b370516970acf9ea511eec8b9790750d2171d0aeeda3d3f0f84d47ac89f4e1 |
| SHA512 | b9ac638c518032d95c3e9782449469916b7f49f6422636a7787b6b23ac72eee8897f6b8be575c004e6e74f2b35cd9519c9f29e053b07421a196df0c6681bb9cd |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.3.cs
| MD5 | 6ba707982ee7e5f0ae55ce3fa5ccad17 |
| SHA1 | d094c98491058ed49861ce82701abe1f38385f18 |
| SHA256 | 19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797 |
| SHA512 | d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.4.cs
| MD5 | fae5458a5b3cee952e25d44d6eb9db85 |
| SHA1 | 060d40137e9cce9f40adbb3b3763d1f020601e42 |
| SHA256 | 240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06 |
| SHA512 | 25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.9.cs
| MD5 | 380d15f61b0e775054eefdce7279510d |
| SHA1 | 47285dc55dafd082edd1851eea8edc2f7a1d0157 |
| SHA256 | bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717 |
| SHA512 | d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.8.cs
| MD5 | 7ae06a071e39d392c21f8395ef5a9261 |
| SHA1 | 007e618097c9a099c9f5c3129e5bbf1fc7deb930 |
| SHA256 | 00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718 |
| SHA512 | 5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.7.cs
| MD5 | 05206d577ce19c1ef8d9341b93cd5520 |
| SHA1 | 1ee5c862592045912eb45f9d94376f47b5410d3d |
| SHA256 | e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877 |
| SHA512 | 4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.6.cs
| MD5 | 8ec0f0e49ffe092345673ab4d9f45641 |
| SHA1 | 401bd9e2894e9098504f7cc8f8d52f86c3ebe495 |
| SHA256 | 93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac |
| SHA512 | 60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248 |
\??\c:\Users\Admin\AppData\Local\Temp\dda2hnwi\dda2hnwi.5.cs
| MD5 | 42f157ad8e79e06a142791d6e98e0365 |
| SHA1 | a05e8946e04907af3f631a7de1537d7c1bb34443 |
| SHA256 | e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed |
| SHA512 | e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E6478494C104A058B5DEDDE7FF7AF9B.TMP
| MD5 | 2c8070f084ff635f9e016b831cd6ef16 |
| SHA1 | 84d8287a21eaf176ebd7b3efe8571b3862de873a |
| SHA256 | 535d007133ddae112030480aac0b6954d4aac98bcd69b0ef192a010770564a4f |
| SHA512 | f7dd550984e579912cf8fa688c53985308862954688b44482c83c05d61274519812a5ea9b6ddcfcd8972d117c8e3edfa6da0e23f3c8ea17ef0bdab80bf0d4c1f |
C:\Users\Admin\AppData\Local\Temp\RESCC6D.tmp
| MD5 | 8a6b60d3fa7df7235517d8996fac3ad6 |
| SHA1 | e4ef41afbf178a89c8cbedf160828a06622ecfdc |
| SHA256 | 95b45a59c8e03254e766383151879085335dc98ab88674e5242011d81ddc78ef |
| SHA512 | 04d2a027a1eae9cf74738dc5f094d6e92d3c836e87f2f1d5d45074c41601446ba31737c7c16c16c121b5c59fc03f63df4aeb8038d21bab7c8a073fc71ec1f197 |
memory/4324-181-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-182-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-183-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-184-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-185-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-186-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-187-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-188-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-189-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-190-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-191-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-192-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-193-0x0000000005F00000-0x0000000005F10000-memory.dmp
memory/4324-194-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-195-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-196-0x0000000007570000-0x0000000007670000-memory.dmp
memory/4324-197-0x0000000007570000-0x0000000007670000-memory.dmp