Overview

overview

10

Static

static

3

56d5e98fa9...ed.exe

windows7-x64

10

56d5e98fa9...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56d5e98fa935cef43afc85e3147032ed.exe

  • Size

    564KB

  • MD5

    56d5e98fa935cef43afc85e3147032ed

  • SHA1

    f3cfe8dccef85c401cc272106af0e87c7d0f0b9b

  • SHA256

    7b3038bd41ac34e36fc87a857a66a357b3c48989c7d26a522ea16e9b205f2ce1

  • SHA512

    d7ce889e6e26e0c448dd4389e01fb42a9fc07a6b835eed098613b114e319db26c097f72b0dcc82346a7f7f17c524d690c13e6abeb372968b16daf72ecd584cdf

  • SSDEEP

    12288:7oSWNT8ep3NLC1AZI4C4I9ep4GnaK0jKfFqosmN0YBDIu48+v4:7oS2T8e5NLCSZc4IBUaK0j6N0YBDIucQ

Score
10/10
mercurialgrabberevasionspywarestealerupx

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/870291367530737705/kitCWvdskV4mesZN15sftPzdN9h7p-Y0ANa240mBlgWkIh9632aLpUK7C0zdv_guqyVv

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe
    "C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\930E.bat C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2144
      • C:\Users\Admin\AppData\Local\Temp\930C.tmp\hook.exe
        hook.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 976
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2772
      • C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\extd.exe "" "" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\930C.tmp\hook_old.exe
        hook_old.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2680 -s 1736
          4⤵
            PID:1992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9031cea1acb5098868b8b4641922eb48

      SHA1

      49b47d8eac6ce9999b831993a7e45a94042140be

      SHA256

      8d11e0928502cf9aad75bd59046af774edb4487d18ac509910c7a677027b5a5f

      SHA512

      9aef03f75f55399459b163b338afd3c9e8b0b69c8f16a41cf83cf2b9bdce8758c565efd25b1b182c3c7b479772c7cf155ab1bec0d2c57f8f31b871e5c33d1b75

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\930E.bat
      Filesize

      444B

      MD5

      c102a5d63862e5e6212c2ee98cb3c731

      SHA1

      8fa2e0431d5e3377761dbd73cdb037a6430dc244

      SHA256

      c4e5f275e226d917ae89703124226bc5ace169cc1de5e8388fc9af76ce78ec9c

      SHA512

      a687a077a01ee3a1811658046714e64fa0c7715270ab69cd4515ab69fb2ab57a3001c5ed1429b7b614b90be397343e49d2415912433f064f1d8072256cee12a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\930C.tmp\930D.tmp\extd.exe
      Filesize

      259KB

      MD5

      139b5ce627bc9ec1040a91ebe7830f7c

      SHA1

      c7e8154ebed98bea9d1f12b08139d130b6836826

      SHA256

      d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

      SHA512

      8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\930C.tmp\hook.exe
      Filesize

      8KB

      MD5

      6f6e4c7378b72a39304be541283fe240

      SHA1

      998d9fb26b469f83dfc53d069c2bfdb87084d70f

      SHA256

      d4151d291326af4254a3ce4dad5f4e05b31891bf7bb2a7ca4a0102a768c07a24

      SHA512

      1530420b4401f1e286c7a3568645fc292e0e2776eb00e44080f98c5f6c6fbd91b509b36f2a5ff36da0af8b1ca10cb9d8657e3807e924880c097d5da531ab4362

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\930C.tmp\hook_old.exe
      Filesize

      139KB

      MD5

      e43d7d4ef044c393418d7a4c7fb6bf08

      SHA1

      d0c6c79a25c460dd57e8ac77006a9bac583b8798

      SHA256

      5893f1da289eff760f03e44b79d224203ab284956e2d4bf8f36250ad0b82ffd7

      SHA512

      0fe8454d3848185278b51ef52b18440a8ebd0df991cc04d8bb4b817e2fdc32d116591b27a888cd043b3ab65b60f1aa6bcea1cf9d9cc3f8e94a85e30bedc5b868

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabB7DC.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarBC81.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • memory/1896-23-0x0000000073870000-0x0000000073F5E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1896-21-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1896-26-0x0000000004C20000-0x0000000004C60000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1896-96-0x0000000073870000-0x0000000073F5E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2144-12-0x0000000000400000-0x00000000004A5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2144-11-0x0000000000400000-0x00000000004A5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2680-22-0x0000000000970000-0x0000000000998000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2680-24-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2680-25-0x000000001AC20000-0x000000001ACA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2680-97-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2680-98-0x000000001AC20000-0x000000001ACA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-18-0x0000000000400000-0x00000000004A5000-memory.dmp

      Filesize

      660KB

      Download