Overview

overview

7

Static

static

3

Mercurial.exe

windows10-1703-x64

7

Resubmissions

25-04-2023 21:12

230425-z19khach88 9

25-04-2023 21:10

230425-z1fmesch85 7

25-04-2023 21:07

230425-zya9xseg8w 7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-04-2023 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mercurial.exe

  • Size

    3.2MB

  • MD5

    a9477b3e21018b96fc5d2264d4016e65

  • SHA1

    493fa8da8bf89ea773aeb282215f78219a5401b7

  • SHA256

    890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

  • SHA512

    66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

  • SSDEEP

    98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

Score
7/10
agilenet

Malware Config

Signatures

  • Obfuscated with Agile.Net obfuscator 11 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1396
      2⤵
      • Program crash
      PID:2140
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.1440724060\21916024" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1612 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13aaf487-6014-4422-a7ea-bb2545b30926} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1716 131a97a6758 gpu
        3⤵
          PID:2216
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.1.1590711652\2081112256" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {427302f1-8f27-4749-9e41-944f16ed81d4} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2072 131a83fa258 socket
          3⤵
            PID:1520
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.2.898848746\1014373131" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2672 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af27112d-c7ed-42d8-a69e-2c303eed25e3} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2820 131ac653c58 tab
            3⤵
              PID:1372
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.3.129780025\768126554" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3417befb-e720-47a7-ab20-31a3c3cb9b78} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 3532 13195b62b58 tab
              3⤵
                PID:768
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.4.1327908229\243031789" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3672 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f63aa61-eb88-4d26-8ce0-034d2a10bb9d} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4460 131ad596e58 tab
                3⤵
                  PID:2844
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.5.1185906420\1886238933" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4808 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6056b7ce-f23a-427c-9a0c-462c196ddf5a} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4832 131ad594758 tab
                  3⤵
                    PID:500
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.7.1419583814\301803592" -childID 6 -isForBrowser -prefsHandle 4684 -prefMapHandle 5124 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17ab08ac-b11d-40f4-aeec-75accf2ba12d} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4848 131aeb44858 tab
                    3⤵
                      PID:1464
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.290181964\1830390012" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a617a3b3-e6bb-488e-b88a-819228663a44} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4708 131aeb44258 tab
                      3⤵
                        PID:1020
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.8.657044958\1230331915" -childID 7 -isForBrowser -prefsHandle 1260 -prefMapHandle 5548 -prefsLen 26719 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9cc8e8a-9b68-4809-9acd-3ebdac1adaa3} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 5552 131b034dc58 tab
                        3⤵
                          PID:3400
                    • C:\Windows\System32\SystemSettingsBroker.exe
                      C:\Windows\System32\SystemSettingsBroker.exe -Embedding
                      1⤵
                        PID:3804
                      • \??\c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
                        1⤵
                          PID:4624
                        • \??\c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k localservice -s SstpSvc
                          1⤵
                            PID:5032
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
                            1⤵
                            • Checks SCSI registry key(s)
                            • Modifies data under HKEY_USERS
                            PID:4536
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
                            1⤵
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2820
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s RasMan
                            1⤵
                              PID:4052

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              157KB

                              MD5

                              4e2d9757e83db1a10e3924541c3b711f

                              SHA1

                              062260b2da60c80da73b00a22a4172812b087f7e

                              SHA256

                              9e5de94c04a30c7b9890be4941e35492a2abc4e2dc8d59c7dbe2fa189e992904

                              SHA512

                              28cfbfe3209708de42f9083ad7a8611014e922d17b0b99dc909e792a9591dee627672d010091c78c7cd3dab30fb7931a28223985f820eba6027bc3668b988f01

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              fc03769491e92557713bff75b3dcae44

                              SHA1

                              a4f4687575dba8a950a014c93d8f9f086a2b68d6

                              SHA256

                              3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

                              SHA512

                              8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              e07920c61129cb31d91d275607f5fd86

                              SHA1

                              fbc8b92057e4aa4743a5027868f84925bfb8f666

                              SHA256

                              531786f46b556fd85bacea01f2b9f426dac77a25b322fbff3344b1bb9567d82d

                              SHA512

                              6775c0d038cf3f145128ce66ef24d0d363c5e4c2b44f6853e93a3bb1b4909e27ce4680b5729cb05a523ebbcf01d9bdcdb0e94f7fc4b98b7147b44d2b7a13aa1a

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              5140d5b6003bdbf990b18397c48a6c2e

                              SHA1

                              4bccd4351a65e5ec3dca7cd621675c01013faac7

                              SHA256

                              e01fe4228e02d28b2c4b30cf4bdfae0f1b7e1b63e413d9825b898557c65a0ffd

                              SHA512

                              0cc40bdc9b4bd7824a1d9760bb21eab6590143be8bb959375365f6e6b13c34b2a1f8f180475ea81c90afe9b7071e8d0f998d5cd5cead28b4d4e78046bd1d00c9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                              Filesize

                              184KB

                              MD5

                              ada9f4dd9948aa020ac284595ef89820

                              SHA1

                              998bf36c41acb4b5042866890ba5da30106b7292

                              SHA256

                              10782b1dd8c035112bc672eb1bacedc91fd13656b37157b4e527d20b8776e16b

                              SHA512

                              5ec174176901496ccae0e7db32d7602b9abddfb8f9a71a06ece58f731095dd6d0fdf2eaa8c49826126b0c2a7aaacb25f27efa28bbbe77aa468dd1e4d7bdf6059

                              Download Submit

                            • C:\Windows\INF\netrasa.PNF
                              Filesize

                              22KB

                              MD5

                              80648b43d233468718d717d10187b68d

                              SHA1

                              a1736e8f0e408ce705722ce097d1adb24ebffc45

                              SHA256

                              8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

                              SHA512

                              eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

                              Download Submit

                            • C:\Windows\INF\netsstpa.PNF
                              Filesize

                              6KB

                              MD5

                              01e21456e8000bab92907eec3b3aeea9

                              SHA1

                              39b34fe438352f7b095e24c89968fca48b8ce11c

                              SHA256

                              35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

                              SHA512

                              9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

                              Download Submit

                            • memory/2488-205-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-254-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-125-0x0000000005390000-0x000000000539A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2488-126-0x00000000053A0000-0x00000000053BC000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/2488-127-0x0000000005490000-0x00000000054B0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/2488-128-0x0000000005600000-0x0000000005620000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/2488-129-0x00000000054B0000-0x00000000054C0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-130-0x0000000005650000-0x0000000005664000-memory.dmp

                              Filesize

                              80KB

                              Download

                            • memory/2488-132-0x00000000056E0000-0x00000000056FE000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/2488-131-0x0000000005660000-0x00000000056CE000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2488-134-0x0000000005760000-0x000000000576E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/2488-133-0x0000000005710000-0x0000000005746000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/2488-135-0x0000000005770000-0x000000000577E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/2488-136-0x0000000005ED0000-0x000000000601A000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/2488-137-0x0000000006050000-0x0000000006166000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/2488-138-0x0000000006170000-0x00000000061A0000-memory.dmp

                              Filesize

                              192KB

                              Download

                            • memory/2488-176-0x0000000008D30000-0x0000000008D38000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/2488-181-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-186-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-199-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-204-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-123-0x00000000053F0000-0x0000000005482000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/2488-228-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-234-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-249-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-124-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-268-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-273-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-292-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-299-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-300-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-314-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-336-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-354-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-395-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-428-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-437-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-503-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-512-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-583-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-602-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-648-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-649-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-667-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-692-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-714-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-719-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-762-0x0000000005890000-0x0000000005990000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/2488-122-0x00000000059D0000-0x0000000005ECE000-memory.dmp

                              Filesize

                              5.0MB

                              Download

                            • memory/2488-121-0x0000000000830000-0x0000000000B6A000-memory.dmp

                              Filesize

                              3.2MB

                              Download

                            • memory/2488-795-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2488-837-0x00000000053E0000-0x00000000053F0000-memory.dmp

                              Filesize

                              64KB

                              Download