Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 16:53
Behavioral task
behavioral1
Sample
62a6dfddfea9f3b07840eab13c01fd6a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
62a6dfddfea9f3b07840eab13c01fd6a.exe
Resource
win10v2004-20231215-en
General
-
Target
62a6dfddfea9f3b07840eab13c01fd6a.exe
-
Size
42KB
-
MD5
62a6dfddfea9f3b07840eab13c01fd6a
-
SHA1
03dc4618e49b3652ece0d00063b975c64572bf8e
-
SHA256
f1a1a87288448f8783207ac8a63509508fb49cdcf2e12e655528e42d2eb7da1b
-
SHA512
d754eb9bd4bb46728239ac0c104833aac28d7b287d3c1f36b77517b9bd75c47870c4210f75989048f3bd043f9f385604341cb5d16e06edeff1b3494c7217d7ca
-
SSDEEP
768:08QiQ2KKqqI28Tj6rZDJuZ2LV0TjWKZKfgm3EhSu:ZNqH28TjQ7LV0TSF7E0u
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/895521762614325278/0cQkzrsvVLdfDncYsHihutoyrWOX3m8Y_0gjrP9RiveAWp-5BR5p3VaKFSEf9_j-SY8m
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 62a6dfddfea9f3b07840eab13c01fd6a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 62a6dfddfea9f3b07840eab13c01fd6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName 62a6dfddfea9f3b07840eab13c01fd6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 62a6dfddfea9f3b07840eab13c01fd6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation 62a6dfddfea9f3b07840eab13c01fd6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription pid process Token: SeDebugPrivilege 2988 62a6dfddfea9f3b07840eab13c01fd6a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
62a6dfddfea9f3b07840eab13c01fd6a.exedescription pid process target process PID 2988 wrote to memory of 2496 2988 62a6dfddfea9f3b07840eab13c01fd6a.exe WerFault.exe PID 2988 wrote to memory of 2496 2988 62a6dfddfea9f3b07840eab13c01fd6a.exe WerFault.exe PID 2988 wrote to memory of 2496 2988 62a6dfddfea9f3b07840eab13c01fd6a.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a6dfddfea9f3b07840eab13c01fd6a.exe"C:\Users\Admin\AppData\Local\Temp\62a6dfddfea9f3b07840eab13c01fd6a.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2988 -s 14002⤵PID:2496