Analysis Overview
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
Threat Level: Shows suspicious behavior
The file Mercurial.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Unsigned PE
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-06-30 15:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 15:52
Reported
2023-06-30 16:22
Platform
win10-20230621-en
Max time kernel
705s
Max time network
1608s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
Network
| Country | Destination | Domain | Proto |
| US | 20.42.72.131:443 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
Files
memory/3752-120-0x0000000000BD0000-0x0000000000F0A000-memory.dmp
memory/3752-121-0x0000000005EA0000-0x000000000639E000-memory.dmp
memory/3752-122-0x0000000005890000-0x0000000005922000-memory.dmp
memory/3752-123-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/3752-124-0x0000000005880000-0x000000000588A000-memory.dmp
memory/3752-125-0x0000000005930000-0x000000000594C000-memory.dmp
memory/3752-126-0x0000000005970000-0x0000000005990000-memory.dmp
memory/3752-127-0x0000000005A60000-0x0000000005A80000-memory.dmp
memory/3752-128-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/3752-129-0x0000000005B30000-0x0000000005B44000-memory.dmp
memory/3752-130-0x0000000005B40000-0x0000000005BAE000-memory.dmp
memory/3752-131-0x0000000005BC0000-0x0000000005BDE000-memory.dmp
memory/3752-132-0x0000000005BF0000-0x0000000005C26000-memory.dmp
memory/3752-133-0x0000000005C40000-0x0000000005C4E000-memory.dmp
memory/3752-134-0x0000000005C50000-0x0000000005C5E000-memory.dmp
memory/3752-135-0x00000000064A0000-0x00000000065EA000-memory.dmp
memory/3752-136-0x00000000066C0000-0x00000000067D6000-memory.dmp
memory/3752-137-0x0000000005DE0000-0x0000000005E10000-memory.dmp
memory/3752-138-0x0000000009210000-0x0000000009218000-memory.dmp
memory/3752-139-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/3752-140-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/3752-141-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/3752-142-0x00000000032B0000-0x00000000032C0000-memory.dmp