Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 17:00

General

  • Target

    641c5268785785afcec1c2d9fb2e064e.exe

  • Size

    7.6MB

  • MD5

    641c5268785785afcec1c2d9fb2e064e

  • SHA1

    58a6e476f438d5ed07e0a915a9616a899faf66b3

  • SHA256

    37c3683ff2f470e568ab264bdd44ad29c8d131b27721779550f1bb1fab307135

  • SHA512

    b433c14cece23b4290dba78b9853c828a392f89e174eb1c8f015b9f4a87f9a31025966dfdc3856202e1229b54027e0f81cb1af01d53d98d85b5fa51faf47470b

  • SSDEEP

    196608:XlqItZ0+qX+wMIniQnUAsyBxEoNomipdrRgssp7VNbewe9W:1qIt3quo6uRDibrRg/5V5wM

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/895285874886082581/kvent_LjVhiSuZpi1xpHw0_0_UQpTlWtQASyfC1BqA0o4vdJmVYeXbtEedzdqvR7ukh-

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe
    "C:\Users\Admin\AppData\Local\Temp\641c5268785785afcec1c2d9fb2e064e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe
      "C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe
      "C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe"
      2⤵
      • Executes dropped EXE
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe

    Filesize

    1.9MB

    MD5

    f335219e8880a9c7fef1c454f0881dee

    SHA1

    c75102b6aeb132ad4d394250e931471398cc59cf

    SHA256

    81859ac1d25ae0ea125a5c6f67e8f2c563764288bc5004c186ccd2c9a755d07c

    SHA512

    06cd6c098726f3efa210bd9009e1b0d937d55dd07415c72b00c8f7a263fa376ba5d7496dd0d359c8ab94e6eafeb240473ff0bf8f31d2d60eb76acd0295b945c6

  • C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe

    Filesize

    512KB

    MD5

    e4219fb6e2030d634388b342b52e0609

    SHA1

    78005090d1e99b6c8be1f4e5d92f7b84658eee95

    SHA256

    ccc4e0874c1da18c6554716406dc79a430504ededbaa432326bf4c15755091a0

    SHA512

    40cdc18445081a4c4c419a36fb6214cbdee45f515ff9849ff3422bf37b9c02ad3eba0a50559defe71716cf5e8397b9cb198b2ea3df8df32e3ba2776db5829129

  • C:\Users\Admin\AppData\Local\Temp\Skinchanger.exe

    Filesize

    768KB

    MD5

    05b6df2f55cf948593e39c9d4ab3a5ad

    SHA1

    3cb58b0a4447df8f98b164913f62e5b0a8623f37

    SHA256

    73a20f24c74de49a6f8258b8987f400e10bde95b07ce224da3468713c6cef8e4

    SHA512

    aece0ea7ab3272f5569a51774db57e793b2af5f00e508a980a6f98cde4cb4b30bb05b87977795b5713678bbefd0872234cb4c47496237ac5a41ba2aabe41fe5c

  • C:\Users\Admin\AppData\Local\Temp\dfdfdf.exe

    Filesize

    41KB

    MD5

    57b12234a7e94ebed43af2d947a4babe

    SHA1

    dcab370e42a6a334b87bb3698421d0c1e6890ea8

    SHA256

    b30a0efd3f77affd10855e01b9f95146297fcb3ae1d233ea571c353505ed18ca

    SHA512

    6c92dc54dfa4b6860456626fe9b23e9fc06d839d4307045b8c76b60f4083bc1e1940e455f4a38176e28e48a29f5f5a2a4d372fd7a07fe2cdf7ce5d671592be6c

  • memory/1036-24-0x0000000000560000-0x0000000000570000-memory.dmp

    Filesize

    64KB

  • memory/1036-29-0x00007FF8B8060000-0x00007FF8B8B21000-memory.dmp

    Filesize

    10.8MB

  • memory/1036-30-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

  • memory/1036-34-0x00007FF8B8060000-0x00007FF8B8B21000-memory.dmp

    Filesize

    10.8MB

  • memory/2516-5-0x0000000003580000-0x0000000003581000-memory.dmp

    Filesize

    4KB

  • memory/2516-4-0x0000000003570000-0x0000000003571000-memory.dmp

    Filesize

    4KB

  • memory/2516-3-0x0000000000400000-0x0000000000DB0000-memory.dmp

    Filesize

    9.7MB

  • memory/2516-1-0x0000000077B44000-0x0000000077B46000-memory.dmp

    Filesize

    8KB

  • memory/2516-0-0x0000000000400000-0x0000000000DB0000-memory.dmp

    Filesize

    9.7MB

  • memory/2516-28-0x0000000000400000-0x0000000000DB0000-memory.dmp

    Filesize

    9.7MB