9eb6551959a913de98898302ec764841be357c0786038bdfa1c3d7f269d490a6

Analysis

max time kernel
131s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercury.C.exe
Size

1.0MB
MD5

f7b55502a71cef2d1e70d88aeeb63d73
SHA1

bfd5a73a583a78464cb9f46d3799f6c9f47663ff
SHA256

9eb6551959a913de98898302ec764841be357c0786038bdfa1c3d7f269d490a6
SHA512

ec32ab1b6a7839af70cd6cf17e74158cefc0590e80ef9ae09df2cf50ae7837cb19c629b7d70a9901e5951b64e193ec1f08ba2d8ff47a90c76529bf7cb1bae6b8
SSDEEP

24576:ByLw3WVoK5w/NyZtkzhnxAwUKm4MEoiE:uwW+KIWtk9nlUKm4MtiE

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1656	mbr.exe
1564	bytebeat.exe
1320	ColorA.exe
676	GlitchB.exe
1864	zoomlines.exe
1996	ScreenShuffle.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-90-0x0000000000400000-0x0000000000515000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	964	AUDIODG.EXE
Token: 33	964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	964	AUDIODG.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 376	2012	Mercury.C.exe	28
PID 2012 wrote to memory of 376	2012	Mercury.C.exe	28
PID 2012 wrote to memory of 376	2012	Mercury.C.exe	28
PID 2012 wrote to memory of 376	2012	Mercury.C.exe	28
PID 376 wrote to memory of 628	376	wscript.exe	29
PID 376 wrote to memory of 628	376	wscript.exe	29
PID 376 wrote to memory of 628	376	wscript.exe	29
PID 376 wrote to memory of 1656	376	wscript.exe	30
PID 376 wrote to memory of 1656	376	wscript.exe	30
PID 376 wrote to memory of 1656	376	wscript.exe	30
PID 376 wrote to memory of 1656	376	wscript.exe	30
PID 376 wrote to memory of 1564	376	wscript.exe	31
PID 376 wrote to memory of 1564	376	wscript.exe	31
PID 376 wrote to memory of 1564	376	wscript.exe	31
PID 376 wrote to memory of 1564	376	wscript.exe	31
PID 376 wrote to memory of 1320	376	wscript.exe	32
PID 376 wrote to memory of 1320	376	wscript.exe	32
PID 376 wrote to memory of 1320	376	wscript.exe	32
PID 376 wrote to memory of 1320	376	wscript.exe	32
PID 376 wrote to memory of 676	376	wscript.exe	35
PID 376 wrote to memory of 676	376	wscript.exe	35
PID 376 wrote to memory of 676	376	wscript.exe	35
PID 376 wrote to memory of 676	376	wscript.exe	35
PID 376 wrote to memory of 1864	376	wscript.exe	36
PID 376 wrote to memory of 1864	376	wscript.exe	36
PID 376 wrote to memory of 1864	376	wscript.exe	36
PID 376 wrote to memory of 1864	376	wscript.exe	36
PID 376 wrote to memory of 1996	376	wscript.exe	37
PID 376 wrote to memory of 1996	376	wscript.exe	37
PID 376 wrote to memory of 1996	376	wscript.exe	37
PID 376 wrote to memory of 1996	376	wscript.exe	37

C:\Users\Admin\AppData\Local\Temp\Mercury.C.exe
"C:\Users\Admin\AppData\Local\Temp\Mercury.C.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A4E.tmp\A4F.tmp\A50.vbs //Nologo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\t.vbs"
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\bytebeat.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\bytebeat.exe"
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ColorA.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ColorA.exe"
    3⤵
    - Executes dropped EXE
    PID:1320
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\GlitchB.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\GlitchB.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\zoomlines.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\zoomlines.exe"
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ScreenShuffle.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ScreenShuffle.exe"
    3⤵
    - Executes dropped EXE
    PID:1996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4E.tmp\A4F.tmp\A50.vbs

Filesize
1KB

MD5
d46581bcd1ba3407e08e4d766f248ff7

SHA1
20c56d9760e6e7b148cc9556d4528badde2cc49d

SHA256
8f0943daaa9eeaa2886e6ec36a144dc74e5036a30be7514a0ae736ce03da145e

SHA512
fc60d7db66104be51d3527eed8daa66d101711cddd7126ae3e4edc1c929a7893c47615523bb8f610d6b1267d071f584ba692938f376ebe1915c30047ba5065e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ColorA.exe

Filesize
107KB

MD5
d50fbc1a509ef70153d458aa657a1416

SHA1
1f92309b9fa0d1ea78c8a67745a4caf763313089

SHA256
f41d9fdcdcebf89ea570158e5d00aff3a7f31970e92b929258777a1bb52d328d

SHA512
48504f06a2f510d85ac4acb6f71b5e4137c08abcc11aef0daadfe29624025b499df93f4389033ab3cc082a0146a251634725026958988c5bedf1bf5382573901

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ColorA.exe

Filesize
107KB

MD5
d50fbc1a509ef70153d458aa657a1416

SHA1
1f92309b9fa0d1ea78c8a67745a4caf763313089

SHA256
f41d9fdcdcebf89ea570158e5d00aff3a7f31970e92b929258777a1bb52d328d

SHA512
48504f06a2f510d85ac4acb6f71b5e4137c08abcc11aef0daadfe29624025b499df93f4389033ab3cc082a0146a251634725026958988c5bedf1bf5382573901

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\GlitchB.exe

Filesize
1.3MB

MD5
716ae76e98dce401a20e692b2c8af422

SHA1
c3b8aa6afc390b4b1b551ef73cf8890afd558252

SHA256
2d51a1794fbdaa664347dfbffc6d5cd6377be80ca05525bbd331c0c8391bd669

SHA512
bc9ac1baead0fef0e4eb6c23c7ccbf8140b7bddc5c5f838a972c18fdd46622a1d008bd89ba65b287b2697544e64c6d98ac61461bfdeb4ac10463a37e8cf2dd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\GlitchB.exe

Filesize
1.3MB

MD5
716ae76e98dce401a20e692b2c8af422

SHA1
c3b8aa6afc390b4b1b551ef73cf8890afd558252

SHA256
2d51a1794fbdaa664347dfbffc6d5cd6377be80ca05525bbd331c0c8391bd669

SHA512
bc9ac1baead0fef0e4eb6c23c7ccbf8140b7bddc5c5f838a972c18fdd46622a1d008bd89ba65b287b2697544e64c6d98ac61461bfdeb4ac10463a37e8cf2dd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ScreenShuffle.exe

Filesize
104KB

MD5
042412143d162ce4877e700f1e0e00a3

SHA1
547b1358fbe4dc46d47ff516644a96f80f70f7ef

SHA256
29d6cb7222b713379111559d5a9df6f3f500e9b78940bafa82ebff0dc80f5690

SHA512
be2b148d9733519d9167fb2b3029abfa4ec6c64785c144ac49fe97e12f4cf1569f46c3a8466a8f4deef26f967363ab19eaf92f2a153b36cb9ea574048be94762

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\ScreenShuffle.exe

Filesize
104KB

MD5
042412143d162ce4877e700f1e0e00a3

SHA1
547b1358fbe4dc46d47ff516644a96f80f70f7ef

SHA256
29d6cb7222b713379111559d5a9df6f3f500e9b78940bafa82ebff0dc80f5690

SHA512
be2b148d9733519d9167fb2b3029abfa4ec6c64785c144ac49fe97e12f4cf1569f46c3a8466a8f4deef26f967363ab19eaf92f2a153b36cb9ea574048be94762

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\bytebeat.exe

Filesize
102KB

MD5
6dba963d56ae1fcdfd6e840a52416801

SHA1
5ad332cce4c7556cc0aa72b9d5792f42e3873b3b

SHA256
eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506

SHA512
c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\bytebeat.exe

Filesize
102KB

MD5
6dba963d56ae1fcdfd6e840a52416801

SHA1
5ad332cce4c7556cc0aa72b9d5792f42e3873b3b

SHA256
eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506

SHA512
c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\bytebeat.wav

Filesize
937KB

MD5
0d6e9332c0dcaba834cbf616017b0cad

SHA1
b831a6f54d52424a5c5cbb35a4f201e62a8b5b72

SHA256
007fcb6ef5af82cf8325263d6e55a2aa32418a420866fe53e95f29861663449a

SHA512
db7a92c58f90b60bfb66f40d2d76739318adf6a3981bda720aaf049c4a015100f6a05fa855db315bc553549ee7375f48ab8c0e6facd634cde390391a42aaaa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\mbr.exe

Filesize
1.3MB

MD5
dd85e30ef70c4f0425837a3fe17dbc1d

SHA1
03e19f1a21649b1874633e6f6afe754bf9106645

SHA256
356e86a7609e3475e6d5aace81f673607061c551f91f57b87c3ecbd3943d4181

SHA512
acb6e47380aa371ef12e9d4624c31c524d54228986d75e6a7317896c5eb2517506a8e4341f9e0392a5ecd49820ceeee0a216a2d4f9490123c9620d81e42a91ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\mbr.exe

Filesize
1.3MB

MD5
dd85e30ef70c4f0425837a3fe17dbc1d

SHA1
03e19f1a21649b1874633e6f6afe754bf9106645

SHA256
356e86a7609e3475e6d5aace81f673607061c551f91f57b87c3ecbd3943d4181

SHA512
acb6e47380aa371ef12e9d4624c31c524d54228986d75e6a7317896c5eb2517506a8e4341f9e0392a5ecd49820ceeee0a216a2d4f9490123c9620d81e42a91ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\t.vbs

Filesize
314B

MD5
623e9906409c3b8e3fd9b8c93700f5b2

SHA1
dc5f18a87f49eb4fbc042a1057980fb86b0f80d1

SHA256
03b636d34ef16404d2ef33a5a7e4f582165614cbe58f9c7ea47ddd9cf92aaa32

SHA512
58d7e15e4d169ff829eeb5680cc3dd569e9bb9be8e95d11a0c4ae6d126427e2eb97a4c83d8064df4075cbd7db3755be6e0eeb041779c80898180a53697200d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\zoomlines.exe

Filesize
104KB

MD5
ab1658bfe290e1990199df2f7ed460d0

SHA1
27a0d6bc70472d8019abdcf317a57b67b793e197

SHA256
ea1fa5233612bb4d60b01d81e3c41c4dd7187be78e0552a49121843ce06f2bc4

SHA512
c5450508bd4a35ed8a6a26fbb022c22ab550830e6b500798b9d9dc45970e1eac4b7549e37b4805cef7c450e2ed221ea2aed8d2db04306b3b5d8a4971078bdc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4E.tmp\zoomlines.exe

Filesize
104KB

MD5
ab1658bfe290e1990199df2f7ed460d0

SHA1
27a0d6bc70472d8019abdcf317a57b67b793e197

SHA256
ea1fa5233612bb4d60b01d81e3c41c4dd7187be78e0552a49121843ce06f2bc4

SHA512
c5450508bd4a35ed8a6a26fbb022c22ab550830e6b500798b9d9dc45970e1eac4b7549e37b4805cef7c450e2ed221ea2aed8d2db04306b3b5d8a4971078bdc7e

Download Submit
C:\Users\Admin\Desktop\mercurywashere 5.txt

Filesize
31B

MD5
d564f2e9321d6c7376c046daca1a3e41

SHA1
c20e97fef336e24b87314bfd9e76861d56f1d4d3

SHA256
73814b7c0637a09eb3eb6e7af6df59c0a9303fe7eabccf0b4fffda20613cfa2e

SHA512
0784d78b88dd39567c56224d401450448c284f2f3ab343b8a645a79c9f854a5b6cfd82b35f003477bcbcbf3b74f653e79b6581590fbbc6dc61a01839abd2ede1

Download Submit
memory/676-315-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1320-357-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-333-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-314-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-318-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-322-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-306-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-351-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-345-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-328-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-311-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-338-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1320-303-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1564-302-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1656-95-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1864-330-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1996-348-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2012-90-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download