Resubmissions
25-04-2023 21:12
230425-z19khach88 925-04-2023 21:10
230425-z1fmesch85 725-04-2023 21:07
230425-zya9xseg8w 7Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
25-04-2023 21:07
General
-
Target
Mercurial.exe
-
Size
3.2MB
-
MD5
a9477b3e21018b96fc5d2264d4016e65
-
SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7
-
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
-
SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
SSDEEP
98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 11 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Drops file in Windows directory 2 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 13962⤵
- Program crash
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1440724060\21916024" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1612 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13aaf487-6014-4422-a7ea-bb2545b30926} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1716 131a97a6758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.1.1590711652\2081112256" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {427302f1-8f27-4749-9e41-944f16ed81d4} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2072 131a83fa258 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.2.898848746\1014373131" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2672 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af27112d-c7ed-42d8-a69e-2c303eed25e3} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2820 131ac653c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.3.129780025\768126554" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3417befb-e720-47a7-ab20-31a3c3cb9b78} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 3532 13195b62b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.4.1327908229\243031789" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3672 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f63aa61-eb88-4d26-8ce0-034d2a10bb9d} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4460 131ad596e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.5.1185906420\1886238933" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4808 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6056b7ce-f23a-427c-9a0c-462c196ddf5a} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4832 131ad594758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.7.1419583814\301803592" -childID 6 -isForBrowser -prefsHandle 4684 -prefMapHandle 5124 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17ab08ac-b11d-40f4-aeec-75accf2ba12d} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4848 131aeb44858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.290181964\1830390012" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a617a3b3-e6bb-488e-b88a-819228663a44} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4708 131aeb44258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.8.657044958\1230331915" -childID 7 -isForBrowser -prefsHandle 1260 -prefMapHandle 5548 -prefsLen 26719 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9cc8e8a-9b68-4809-9acd-3ebdac1adaa3} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5552 131b034dc58 tab3⤵
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmpFilesize
157KB
MD54e2d9757e83db1a10e3924541c3b711f
SHA1062260b2da60c80da73b00a22a4172812b087f7e
SHA2569e5de94c04a30c7b9890be4941e35492a2abc4e2dc8d59c7dbe2fa189e992904
SHA51228cfbfe3209708de42f9083ad7a8611014e922d17b0b99dc909e792a9591dee627672d010091c78c7cd3dab30fb7931a28223985f820eba6027bc3668b988f01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.jsFilesize
6KB
MD5fc03769491e92557713bff75b3dcae44
SHA1a4f4687575dba8a950a014c93d8f9f086a2b68d6
SHA2563e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375
SHA5128e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5e07920c61129cb31d91d275607f5fd86
SHA1fbc8b92057e4aa4743a5027868f84925bfb8f666
SHA256531786f46b556fd85bacea01f2b9f426dac77a25b322fbff3344b1bb9567d82d
SHA5126775c0d038cf3f145128ce66ef24d0d363c5e4c2b44f6853e93a3bb1b4909e27ce4680b5729cb05a523ebbcf01d9bdcdb0e94f7fc4b98b7147b44d2b7a13aa1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD55140d5b6003bdbf990b18397c48a6c2e
SHA14bccd4351a65e5ec3dca7cd621675c01013faac7
SHA256e01fe4228e02d28b2c4b30cf4bdfae0f1b7e1b63e413d9825b898557c65a0ffd
SHA5120cc40bdc9b4bd7824a1d9760bb21eab6590143be8bb959375365f6e6b13c34b2a1f8f180475ea81c90afe9b7071e8d0f998d5cd5cead28b4d4e78046bd1d00c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD5ada9f4dd9948aa020ac284595ef89820
SHA1998bf36c41acb4b5042866890ba5da30106b7292
SHA25610782b1dd8c035112bc672eb1bacedc91fd13656b37157b4e527d20b8776e16b
SHA5125ec174176901496ccae0e7db32d7602b9abddfb8f9a71a06ece58f731095dd6d0fdf2eaa8c49826126b0c2a7aaacb25f27efa28bbbe77aa468dd1e4d7bdf6059
-
C:\Windows\INF\netrasa.PNFFilesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
C:\Windows\INF\netsstpa.PNFFilesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
memory/2488-205-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-254-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-125-0x0000000005390000-0x000000000539A000-memory.dmpFilesize
40KB
-
memory/2488-126-0x00000000053A0000-0x00000000053BC000-memory.dmpFilesize
112KB
-
memory/2488-127-0x0000000005490000-0x00000000054B0000-memory.dmpFilesize
128KB
-
memory/2488-128-0x0000000005600000-0x0000000005620000-memory.dmpFilesize
128KB
-
memory/2488-129-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/2488-130-0x0000000005650000-0x0000000005664000-memory.dmpFilesize
80KB
-
memory/2488-132-0x00000000056E0000-0x00000000056FE000-memory.dmpFilesize
120KB
-
memory/2488-131-0x0000000005660000-0x00000000056CE000-memory.dmpFilesize
440KB
-
memory/2488-134-0x0000000005760000-0x000000000576E000-memory.dmpFilesize
56KB
-
memory/2488-133-0x0000000005710000-0x0000000005746000-memory.dmpFilesize
216KB
-
memory/2488-135-0x0000000005770000-0x000000000577E000-memory.dmpFilesize
56KB
-
memory/2488-136-0x0000000005ED0000-0x000000000601A000-memory.dmpFilesize
1.3MB
-
memory/2488-137-0x0000000006050000-0x0000000006166000-memory.dmpFilesize
1.1MB
-
memory/2488-138-0x0000000006170000-0x00000000061A0000-memory.dmpFilesize
192KB
-
memory/2488-176-0x0000000008D30000-0x0000000008D38000-memory.dmpFilesize
32KB
-
memory/2488-181-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-186-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-199-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-204-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-123-0x00000000053F0000-0x0000000005482000-memory.dmpFilesize
584KB
-
memory/2488-228-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-234-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-249-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-124-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-268-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-273-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-292-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-299-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-300-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-314-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-336-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-354-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-395-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-428-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-437-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-503-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-512-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-583-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-602-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-648-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-649-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-667-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-692-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-714-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-719-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-762-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/2488-122-0x00000000059D0000-0x0000000005ECE000-memory.dmpFilesize
5.0MB
-
memory/2488-121-0x0000000000830000-0x0000000000B6A000-memory.dmpFilesize
3.2MB
-
memory/2488-795-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB
-
memory/2488-837-0x00000000053E0000-0x00000000053F0000-memory.dmpFilesize
64KB