Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 15:53
Behavioral task
behavioral1
Sample
2ae7db4175f9d9505c859ee83391efd1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2ae7db4175f9d9505c859ee83391efd1.exe
Resource
win10v2004-20231215-en
General
-
Target
2ae7db4175f9d9505c859ee83391efd1.exe
-
Size
181KB
-
MD5
2ae7db4175f9d9505c859ee83391efd1
-
SHA1
54e6947ee02de919f15bb7e540b478d990ac7118
-
SHA256
b994175e56dcb9010fc1412eafb78d95a51262092ecfdf7e3dfc15db68ee75e5
-
SHA512
725b14b9ccd5ce838de045c0f0191a51f5595af8e54929441c553944ac59bc6395c96635080219dc6b5b918fee05b914d634b3946f756dbceaadb585c4aef4e8
-
SSDEEP
1536:JHuLMOTUF7EwRh8Xe6TDCnbYEdDiQ+OeQnCIlfKWs46zxJL3Z8NBh9ulvtzYSHkk:BuLlTUF7EUhI+ehGvox+
Malware Config
Extracted
mercurialgrabber
https://discordapp.com/api/webhooks/869802431100370964/s6aDgSDISk5icNP9TDGyJ83HXAMCF81rk63PmZVHZCDiFvQKbEPJbuv7kmiqrR053nNP
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 2ae7db4175f9d9505c859ee83391efd1.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools 2ae7db4175f9d9505c859ee83391efd1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2ae7db4175f9d9505c859ee83391efd1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2ae7db4175f9d9505c859ee83391efd1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2ae7db4175f9d9505c859ee83391efd1.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S 2ae7db4175f9d9505c859ee83391efd1.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation 2ae7db4175f9d9505c859ee83391efd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer 2ae7db4175f9d9505c859ee83391efd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName 2ae7db4175f9d9505c859ee83391efd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 2ae7db4175f9d9505c859ee83391efd1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription pid process Token: SeDebugPrivilege 2004 2ae7db4175f9d9505c859ee83391efd1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2ae7db4175f9d9505c859ee83391efd1.exedescription pid process target process PID 2004 wrote to memory of 2768 2004 2ae7db4175f9d9505c859ee83391efd1.exe WerFault.exe PID 2004 wrote to memory of 2768 2004 2ae7db4175f9d9505c859ee83391efd1.exe WerFault.exe PID 2004 wrote to memory of 2768 2004 2ae7db4175f9d9505c859ee83391efd1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae7db4175f9d9505c859ee83391efd1.exe"C:\Users\Admin\AppData\Local\Temp\2ae7db4175f9d9505c859ee83391efd1.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2004 -s 10802⤵PID:2768