Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 17:00
Static task
static1
Behavioral task
behavioral1
Sample
641c5268785785afcec1c2d9fb2e064e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
641c5268785785afcec1c2d9fb2e064e.exe
Resource
win10v2004-20231215-en
General
-
Target
641c5268785785afcec1c2d9fb2e064e.exe
-
Size
7.6MB
-
MD5
641c5268785785afcec1c2d9fb2e064e
-
SHA1
58a6e476f438d5ed07e0a915a9616a899faf66b3
-
SHA256
37c3683ff2f470e568ab264bdd44ad29c8d131b27721779550f1bb1fab307135
-
SHA512
b433c14cece23b4290dba78b9853c828a392f89e174eb1c8f015b9f4a87f9a31025966dfdc3856202e1229b54027e0f81cb1af01d53d98d85b5fa51faf47470b
-
SSDEEP
196608:XlqItZ0+qX+wMIniQnUAsyBxEoNomipdrRgssp7VNbewe9W:1qIt3quo6uRDibrRg/5V5wM
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/895285874886082581/kvent_LjVhiSuZpi1xpHw0_0_UQpTlWtQASyfC1BqA0o4vdJmVYeXbtEedzdqvR7ukh-
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
641c5268785785afcec1c2d9fb2e064e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 641c5268785785afcec1c2d9fb2e064e.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
dfdfdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions dfdfdf.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
dfdfdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools dfdfdf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dfdfdf.exe641c5268785785afcec1c2d9fb2e064e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dfdfdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 641c5268785785afcec1c2d9fb2e064e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 641c5268785785afcec1c2d9fb2e064e.exe -
Executes dropped EXE 2 IoCs
Processes:
dfdfdf.exeSkinchanger.exepid process 2648 dfdfdf.exe 2748 Skinchanger.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
641c5268785785afcec1c2d9fb2e064e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine 641c5268785785afcec1c2d9fb2e064e.exe -
Loads dropped DLL 2 IoCs
Processes:
641c5268785785afcec1c2d9fb2e064e.exepid process 1728 641c5268785785afcec1c2d9fb2e064e.exe 1728 641c5268785785afcec1c2d9fb2e064e.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Skinchanger.exe upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip4.seeip.org 3 ip4.seeip.org 8 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
dfdfdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dfdfdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dfdfdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
641c5268785785afcec1c2d9fb2e064e.exepid process 1728 641c5268785785afcec1c2d9fb2e064e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dfdfdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S dfdfdf.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dfdfdf.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dfdfdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfdfdf.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
dfdfdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation dfdfdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer dfdfdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName dfdfdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 dfdfdf.exe -
Processes:
dfdfdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 dfdfdf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 dfdfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 dfdfdf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 dfdfdf.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
641c5268785785afcec1c2d9fb2e064e.exepid process 1728 641c5268785785afcec1c2d9fb2e064e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dfdfdf.exedescription pid process Token: SeDebugPrivilege 2648 dfdfdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
641c5268785785afcec1c2d9fb2e064e.exedfdfdf.exedescription pid process target process PID 1728 wrote to memory of 2648 1728 641c5268785785afcec1c2d9fb2e064e.exe dfdfdf.exe PID 1728 wrote to memory of 2648 1728 641c5268785785afcec1c2d9fb2e064e.exe dfdfdf.exe PID 1728 wrote to memory of 2648 1728 641c5268785785afcec1c2d9fb2e064e.exe dfdfdf.exe PID 1728 wrote to memory of 2648 1728 641c5268785785afcec1c2d9fb2e064e.exe dfdfdf.exe PID 1728 wrote to memory of 2748 1728 641c5268785785afcec1c2d9fb2e064e.exe Skinchanger.exe PID 1728 wrote to memory of 2748 1728 641c5268785785afcec1c2d9fb2e064e.exe Skinchanger.exe PID 1728 wrote to memory of 2748 1728 641c5268785785afcec1c2d9fb2e064e.exe Skinchanger.exe PID 1728 wrote to memory of 2748 1728 641c5268785785afcec1c2d9fb2e064e.exe Skinchanger.exe PID 2648 wrote to memory of 2528 2648 dfdfdf.exe WerFault.exe PID 2648 wrote to memory of 2528 2648 dfdfdf.exe WerFault.exe PID 2648 wrote to memory of 2528 2648 dfdfdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe"C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe"C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2648 -s 17363⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe"C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe"2⤵
- Executes dropped EXE
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d75a998c47e55fc829f01d2659c6618c
SHA17399b2cac20e44765d48726f4907c69737f863cb
SHA256dde977e9b351fd812a9f46353edc8d73683cbc9b8e5fca50f4bc3af65eae68c5
SHA51246e33004c61c50fd3d63e8e613f47a60c6683f8ef0825a7b6360ab64e883c839a5498075a0fa05d86107cde691c7e5814692f01d8986664808ce3d1c38074a73
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
6.2MB
MD5530ca5cc3cbc025f34fff827ad0e5c66
SHA1105faf1295a514e756b0d7b2f4a176179928f018
SHA25687b0e1427e2b515aefca043e9ffbf38c017c49f667e47228c6944543fc044528
SHA51215a089c238e2f73f4e3a367a795af5fb6130f25bbe88d9a5bff400ea5cc8a4ac427460f4411956fd07dc5a5aa4dca94e2479e461258f3b3b8b84bdf6af236ca7
-
Filesize
41KB
MD557b12234a7e94ebed43af2d947a4babe
SHA1dcab370e42a6a334b87bb3698421d0c1e6890ea8
SHA256b30a0efd3f77affd10855e01b9f95146297fcb3ae1d233ea571c353505ed18ca
SHA5126c92dc54dfa4b6860456626fe9b23e9fc06d839d4307045b8c76b60f4083bc1e1940e455f4a38176e28e48a29f5f5a2a4d372fd7a07fe2cdf7ce5d671592be6c