Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2023 08:59

General

  • Target

    KRNLExecutor.exe

  • Size

    41KB

  • MD5

    d1a288a97979ddd09085cc9ad0162b62

  • SHA1

    d213f7f6f069db9c1fb72cb76ca4440541461c7c

  • SHA256

    1e0474476d1eba6ed4ea3e6c2bdc368412f60862db3ee84e096eb800a8c884bc

  • SHA512

    ff143047d8278c16c2fb139ac7318d0dd8f92f4b46f35c18c19f58e254eb1e79d259d1365ad458f656b089c66918c7bf4fe5cc7a9c826d0754ac31b249317947

  • SSDEEP

    768:nscaIiIq3KHWOJTw3quZ5e9WTjoKZKfgm3Eh41:sc1KKHHo9e9WT8F7Ee1

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1118262451083939971/HmXFycDXvS2LObQqqJVwfiGcZuZwJqZAp7f-PUmUyVxXQyBedsiYC04ShgyVOokXniGF

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KRNLExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\KRNLExecutor.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1324 -s 1868
      2⤵
      • Program crash
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d708426f35b770ba268de1ce3acb04d7

    SHA1

    9ccce67e3294ccc74ee77716ca212c61d07109f5

    SHA256

    263d046bb6f9be916ebb496453e6b17c4029e110e8f41fb3bdc3a10b0ea9826c

    SHA512

    20d52177b1ea6ae683e3549d6e64d6a56d3d6b7a3370f72a41f2652ecde2e40ab4c3dc8e935e9d08af605637f4f62ebdcccfa853fe769ceff3318a57cd474ae6

  • C:\Users\Admin\AppData\Local\Temp\Cab2704.tmp

    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

  • C:\Users\Admin\AppData\Local\Temp\Tar2A17.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • memory/1324-54-0x0000000000E70000-0x0000000000E80000-memory.dmp

    Filesize

    64KB

  • memory/1324-55-0x000000001B080000-0x000000001B100000-memory.dmp

    Filesize

    512KB

  • memory/1324-142-0x000000001B080000-0x000000001B100000-memory.dmp

    Filesize

    512KB