Malware Analysis Report

2025-05-28 16:41

Sample ID 230630-tbfcgaeg4w
Target Mercurial.exe
SHA256 890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

Threat Level: Shows suspicious behavior

The file Mercurial.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 15:52

Reported

2023-06-30 16:22

Platform

win10-20230621-en

Max time kernel

705s

Max time network

1608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

Country Destination Domain Proto
US 20.42.72.131:443 tcp
US 72.21.81.240:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp

Files

memory/3752-120-0x0000000000BD0000-0x0000000000F0A000-memory.dmp

memory/3752-121-0x0000000005EA0000-0x000000000639E000-memory.dmp

memory/3752-122-0x0000000005890000-0x0000000005922000-memory.dmp

memory/3752-123-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/3752-124-0x0000000005880000-0x000000000588A000-memory.dmp

memory/3752-125-0x0000000005930000-0x000000000594C000-memory.dmp

memory/3752-126-0x0000000005970000-0x0000000005990000-memory.dmp

memory/3752-127-0x0000000005A60000-0x0000000005A80000-memory.dmp

memory/3752-128-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/3752-129-0x0000000005B30000-0x0000000005B44000-memory.dmp

memory/3752-130-0x0000000005B40000-0x0000000005BAE000-memory.dmp

memory/3752-131-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/3752-132-0x0000000005BF0000-0x0000000005C26000-memory.dmp

memory/3752-133-0x0000000005C40000-0x0000000005C4E000-memory.dmp

memory/3752-134-0x0000000005C50000-0x0000000005C5E000-memory.dmp

memory/3752-135-0x00000000064A0000-0x00000000065EA000-memory.dmp

memory/3752-136-0x00000000066C0000-0x00000000067D6000-memory.dmp

memory/3752-137-0x0000000005DE0000-0x0000000005E10000-memory.dmp

memory/3752-138-0x0000000009210000-0x0000000009218000-memory.dmp

memory/3752-139-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/3752-140-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/3752-141-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/3752-142-0x00000000032B0000-0x00000000032C0000-memory.dmp