Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 13:37

General

  • Target

    https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/984263168396230666/DWJ_RK2rtVcxAh2GlY7NfTu7SQriLRe-3j65Z4y0izQOlXZo6MbPVfb-o1yds-Frpk56

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.0.365464597\1105341842" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1cdf5f-369e-4b1a-9c88-3f9ae146f263} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 1944 1ddafd15b58 gpu
        3⤵
          PID:3196
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.1.654678349\1740768646" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d8cfa2-db34-43c5-859d-f13f2b0c2463} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 2368 1ddaeaf0a58 socket
          3⤵
          • Checks processor information in registry
          PID:2028
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.2.592354202\770753706" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2980 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a8c7f8-558a-4884-adc5-d2f618071469} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3068 1ddb2e27d58 tab
          3⤵
            PID:4912
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.3.1718297424\853477937" -childID 2 -isForBrowser -prefsHandle 3756 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db3a3db-a4ac-4d69-9f36-59dca15dcb48} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3780 1dd9b16c858 tab
            3⤵
              PID:4524
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.5.1102786328\1181814385" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051b3ca6-52de-40d7-8f60-ab04f0f818b2} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4988 1ddb5087a58 tab
              3⤵
                PID:3544
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.6.145596445\1221511835" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5136 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de369be-aa77-4442-bef1-10cc3ca1ffc1} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5252 1ddb50bb058 tab
                3⤵
                  PID:2384
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.4.977141970\1705630305" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4796 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8be740a9-72fe-4864-a11a-9de42bcb0489} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4832 1ddb4e56d58 tab
                  3⤵
                    PID:1856
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.7.949519804\1260576102" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b297f46-d0a8-47af-838e-138ad2919f8a} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5760 1ddb7098c58 tab
                    3⤵
                      PID:2368
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:5272
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Archive\" -spe -an -ai#7zMap1869:74:7zEvent30926
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:1656
                  • C:\Users\Admin\Downloads\Archive\rbxgen.exe
                    "C:\Users\Admin\Downloads\Archive\rbxgen.exe"
                    1⤵
                    • Looks for VirtualBox Guest Additions in registry
                    • Looks for VMWare Tools registry key
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Maps connected drives based on registry
                    • Checks SCSI registry key(s)
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    • Modifies system certificate store
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3580
                  • C:\Users\Admin\Downloads\Archive\rbxgen.exe
                    "C:\Users\Admin\Downloads\Archive\rbxgen.exe"
                    1⤵
                    • Looks for VirtualBox Guest Additions in registry
                    • Looks for VMWare Tools registry key
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Maps connected drives based on registry
                    • Checks SCSI registry key(s)
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4744

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\err804pm.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    22KB

                    MD5

                    248b6361dfd560480f44610e43ed847d

                    SHA1

                    4874d418c9e9ff5dc00ecc1eb2135f7b665d7a71

                    SHA256

                    014b64121ecd232bb5c39bae5fa8383b09db0e0dc9cf31fb3bfdc52b46b29043

                    SHA512

                    b2470cea300c021603eb88b85e8d7079937529d53a90e22f4c731ab7848983d70a210265e7c585f4cbbe371be8d08d8701e9a00fac61c4e9893ececfcf4dca0a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    e53a6734a92b567c525097c8b7e8b009

                    SHA1

                    f88c0147f2fa284952198b15df774f7d95744371

                    SHA256

                    8e938c3a9ee6c6a939ca6fe8cc58365baf5f62ca1d622ee5e0e61471606494ee

                    SHA512

                    2823ed66dfb1bc30b44707ed446ca84e023cf812472aaaf03f5a50108decaf661626f0fe7f5f209940f79db31dc8111c2d9cf1584bf2a9b75aa51e4eb9098b66

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    671022480aa40a352614634e2c8c8425

                    SHA1

                    5b29bc014c45ab3f48e46b06abc8223136e617b4

                    SHA256

                    3f1a33dfe63d378c1605c1738acda372e281680836dd17f39c125e8cb6bc0ac7

                    SHA512

                    a169cb47ceb1e99f48b5449ccab1d093dcd33bf144d32f55ef98347b8c30bc80e0e3d1878007679fd715a941c54b7b355988636c4adcfedc0c7138c73c2a5c2d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionCheckpoints.json.tmp

                    Filesize

                    259B

                    MD5

                    e6c20f53d6714067f2b49d0e9ba8030e

                    SHA1

                    f516dc1084cdd8302b3e7f7167b905e603b6f04f

                    SHA256

                    50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

                    SHA512

                    462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    5200240cafb83f3b9a8c37a50edced1d

                    SHA1

                    1994a117db0ce4e5d1ecdaebcb01d0174186d2e2

                    SHA256

                    e71e2eca9446ea56ff153cef1928b6d90f48a38a17dab454f51a5f738b90431d

                    SHA512

                    8c293a39fe0730bff52217709b3ca808959bf382415d7e5e82ea0728a1c22cfe1f3b42cf706f0d5634e4543276ed9ce74540699484da5925cbd7ee908c6e725f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    0acdd6893775f4f973db634880f96199

                    SHA1

                    78ee570c855a08bf6db8143ba2c0db88946bd0ba

                    SHA256

                    3aae3fcf6498f844da94bc8421d9e2347274261bbb8848eee5848c870cd6bf76

                    SHA512

                    be22cecb24f09a726ef2c204f320885e02106d05e2811506744759403ef0b93bb5e1aff79d5fb7e2504494c500f3e25e9ac783e4a79997b7016e04cc0ad4a282

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    f10d634663436ef0e53cef0e03ed81d3

                    SHA1

                    eb8bc6aee3fc8edfe4aa7a8cd5f4c74320e038a3

                    SHA256

                    1ae98b497426f65b8a61a7732934c5db1a05026d62c948c44c4ef00fe0eca58f

                    SHA512

                    6e71cf5c9baf25feee2c99a504b3f615e7185c345375a2759f8182c735896661ddba3e5d3e66ccc8486b9ef8257714286e2f52fb37ba99a238da49ba163965e5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore.jsonlz4

                    Filesize

                    4KB

                    MD5

                    3d580a7d2708230799a7c734016805e3

                    SHA1

                    b7b015467d08a725a1d16751a3cb637b205dd554

                    SHA256

                    e4cae90b6333d0c17e948feb103e8a23046b62066391f24ee81b578709494fce

                    SHA512

                    8aa20fae0e3cf031919b27ef1893a205922db5fa79a60ee90bf0720daaed9369d7a780a32b1d04222562051c8064ec2452dba33223df86803f723c862d3251c2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\cache\morgue\73\{ec16874b-1a1c-4a2b-a15c-5fd650f49f49}.final

                    Filesize

                    2KB

                    MD5

                    6a992e9294a845a4331501eb759c0039

                    SHA1

                    3cd2061b7792f2584735bdf144866662968131de

                    SHA256

                    745ddd45bd380f03d3cd13a5267e051ea1f98337cc9059bc1a3afebb0c757d5c

                    SHA512

                    cf4b98e1c4beed09cbf41ddd0c94178ab37a7099d570a075db1a86ef4d2c4cf9348c425b45a7c1584293f2ef0bf2612be2bb2e9f552e1d5c3d4b00f77aaddcd4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\276181416SyWr.tTeemle.sqlite-wal

                    Filesize

                    12KB

                    MD5

                    e203fdbb05ac350641c72cd957baab7b

                    SHA1

                    2378b2d87c9ff574df9ba900b26c6d00832269df

                    SHA256

                    47d4325a5fab7f571da9ff466e8149c05b6512220af8223b77d69d7ac81d1cbf

                    SHA512

                    0cf10f868c867b62fda56d988e25b3071f00f63a2646ef8603a94246de6f53f265d6ece062f052f666018ef9ba3e7b7a109acd6ac64844159c847948e2113d46

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\3217723701OBDDS_P.sqlite

                    Filesize

                    48KB

                    MD5

                    062a69a186f75831215cfb20fcc870db

                    SHA1

                    fc92d46bb0a0355fb7f1c63084a41c086606849c

                    SHA256

                    b2b429164afbd3e611cf7e5665b79ba2e3c0d321c342b6748087182374d9de9e

                    SHA512

                    fb45d90ff95d4ef2aa52743d6c9ccb8abc4ae5cbd6cb9193a0ab372c7b7ddb27426fa0f8067466be4a7f610ca3b69bf315f3877062dd20ebd126e7bc9d6fb234

                  • C:\Users\Admin\Downloads\Archive(1).7z

                    Filesize

                    686KB

                    MD5

                    50db46bdb3624dc6eade9d0fcbfe602c

                    SHA1

                    8d52e704d39213065155354cca5d52aef5408ed0

                    SHA256

                    bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9

                    SHA512

                    e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

                  • C:\Users\Admin\Downloads\Archive.7z

                    Filesize

                    686KB

                    MD5

                    50db46bdb3624dc6eade9d0fcbfe602c

                    SHA1

                    8d52e704d39213065155354cca5d52aef5408ed0

                    SHA256

                    bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9

                    SHA512

                    e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

                  • C:\Users\Admin\Downloads\Archive\rbxgen.exe

                    Filesize

                    131KB

                    MD5

                    4b5098e511b13ff333b0c9bf4aeda73d

                    SHA1

                    0d87e54d39ace7fc85fbe4aecad754c5d536a94b

                    SHA256

                    8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371

                    SHA512

                    b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

                  • C:\Users\Admin\Downloads\Archive\rbxgen.exe

                    Filesize

                    131KB

                    MD5

                    4b5098e511b13ff333b0c9bf4aeda73d

                    SHA1

                    0d87e54d39ace7fc85fbe4aecad754c5d536a94b

                    SHA256

                    8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371

                    SHA512

                    b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

                  • C:\Users\Admin\Downloads\Archive\rbxgen.exe

                    Filesize

                    131KB

                    MD5

                    4b5098e511b13ff333b0c9bf4aeda73d

                    SHA1

                    0d87e54d39ace7fc85fbe4aecad754c5d536a94b

                    SHA256

                    8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371

                    SHA512

                    b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

                  • C:\Users\Admin\Downloads\iK_2y4xl.7z.part

                    Filesize

                    686KB

                    MD5

                    50db46bdb3624dc6eade9d0fcbfe602c

                    SHA1

                    8d52e704d39213065155354cca5d52aef5408ed0

                    SHA256

                    bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9

                    SHA512

                    e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

                  • memory/3580-1229-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3580-1230-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3580-1234-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3580-1228-0x0000000000580000-0x00000000005A6000-memory.dmp

                    Filesize

                    152KB

                  • memory/4744-1236-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4744-1237-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4744-1241-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

                    Filesize

                    10.8MB