Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 17:00

General

  • Target

    641c5268785785afcec1c2d9fb2e064e.exe

  • Size

    7.6MB

  • MD5

    641c5268785785afcec1c2d9fb2e064e

  • SHA1

    58a6e476f438d5ed07e0a915a9616a899faf66b3

  • SHA256

    37c3683ff2f470e568ab264bdd44ad29c8d131b27721779550f1bb1fab307135

  • SHA512

    b433c14cece23b4290dba78b9853c828a392f89e174eb1c8f015b9f4a87f9a31025966dfdc3856202e1229b54027e0f81cb1af01d53d98d85b5fa51faf47470b

  • SSDEEP

    196608:XlqItZ0+qX+wMIniQnUAsyBxEoNomipdrRgssp7VNbewe9W:1qIt3quo6uRDibrRg/5V5wM

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/895285874886082581/kvent_LjVhiSuZpi1xpHw0_0_UQpTlWtQASyfC1BqA0o4vdJmVYeXbtEedzdqvR7ukh-

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe
    "C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe
      "C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2648 -s 1736
        3⤵
          PID:2528
      • C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe
        "C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe"
        2⤵
        • Executes dropped EXE
        PID:2748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      d75a998c47e55fc829f01d2659c6618c

      SHA1

      7399b2cac20e44765d48726f4907c69737f863cb

      SHA256

      dde977e9b351fd812a9f46353edc8d73683cbc9b8e5fca50f4bc3af65eae68c5

      SHA512

      46e33004c61c50fd3d63e8e613f47a60c6683f8ef0825a7b6360ab64e883c839a5498075a0fa05d86107cde691c7e5814692f01d8986664808ce3d1c38074a73

    • C:\Users\Admin\AppData\Local\Temp\Cab9A4E.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar9AED.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • \Users\Admin\AppData\Local\Temp\Skinchanger.exe

      Filesize

      6.2MB

      MD5

      530ca5cc3cbc025f34fff827ad0e5c66

      SHA1

      105faf1295a514e756b0d7b2f4a176179928f018

      SHA256

      87b0e1427e2b515aefca043e9ffbf38c017c49f667e47228c6944543fc044528

      SHA512

      15a089c238e2f73f4e3a367a795af5fb6130f25bbe88d9a5bff400ea5cc8a4ac427460f4411956fd07dc5a5aa4dca94e2479e461258f3b3b8b84bdf6af236ca7

    • \Users\Admin\AppData\Local\Temp\dfdfdf.exe

      Filesize

      41KB

      MD5

      57b12234a7e94ebed43af2d947a4babe

      SHA1

      dcab370e42a6a334b87bb3698421d0c1e6890ea8

      SHA256

      b30a0efd3f77affd10855e01b9f95146297fcb3ae1d233ea571c353505ed18ca

      SHA512

      6c92dc54dfa4b6860456626fe9b23e9fc06d839d4307045b8c76b60f4083bc1e1940e455f4a38176e28e48a29f5f5a2a4d372fd7a07fe2cdf7ce5d671592be6c

    • memory/1728-5-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

    • memory/1728-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

    • memory/1728-4-0x0000000000380000-0x0000000000381000-memory.dmp

      Filesize

      4KB

    • memory/1728-0-0x0000000000400000-0x0000000000DB0000-memory.dmp

      Filesize

      9.7MB

    • memory/1728-18-0x0000000000400000-0x0000000000DB0000-memory.dmp

      Filesize

      9.7MB

    • memory/1728-6-0x0000000000390000-0x0000000000391000-memory.dmp

      Filesize

      4KB

    • memory/1728-3-0x0000000000400000-0x0000000000DB0000-memory.dmp

      Filesize

      9.7MB

    • memory/1728-1-0x0000000077900000-0x0000000077902000-memory.dmp

      Filesize

      8KB

    • memory/2648-19-0x0000000000250000-0x0000000000260000-memory.dmp

      Filesize

      64KB

    • memory/2648-20-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

      Filesize

      9.9MB

    • memory/2648-21-0x000000001B030000-0x000000001B0B0000-memory.dmp

      Filesize

      512KB

    • memory/2648-93-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

      Filesize

      9.9MB

    • memory/2648-94-0x000000001B030000-0x000000001B0B0000-memory.dmp

      Filesize

      512KB