mercurialgrabber | 7b3038bd41ac34e36fc87a857a66a357b3c48989c7d26a522ea16e9b205f2ce1

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	hook_old.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	hook_old.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hook_old.exe

Executes dropped EXE 4 IoCs

pid	Process
2992	extd.exe
1576	hook.exe
1600	hook_old.exe
2616	extd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231e9-10.dat	upx
behavioral2/memory/2992-11-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2992-13-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2616-21-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip4.seeip.org
53	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hook_old.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hook_old.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4376	1576	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	hook_old.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	hook_old.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	hook_old.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	hook_old.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	hook_old.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	hook_old.exe
Token: SeDebugPrivilege	1576	hook.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 856	2948	56d5e98fa935cef43afc85e3147032ed.exe	89
PID 2948 wrote to memory of 856	2948	56d5e98fa935cef43afc85e3147032ed.exe	89
PID 856 wrote to memory of 2992	856	cmd.exe	90
PID 856 wrote to memory of 2992	856	cmd.exe	90
PID 856 wrote to memory of 2992	856	cmd.exe	90
PID 856 wrote to memory of 1576	856	cmd.exe	97
PID 856 wrote to memory of 1576	856	cmd.exe	97
PID 856 wrote to memory of 1576	856	cmd.exe	97
PID 856 wrote to memory of 1600	856	cmd.exe	96
PID 856 wrote to memory of 1600	856	cmd.exe	96
PID 856 wrote to memory of 2616	856	cmd.exe	91
PID 856 wrote to memory of 2616	856	cmd.exe	91
PID 856 wrote to memory of 2616	856	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe
"C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\4623.bat C:\Users\Admin\AppData\Local\Temp\56d5e98fa935cef43afc85e3147032ed.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\4621.tmp\4622.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\4621.tmp\hook_old.exe
    hook_old.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\4621.tmp\hook.exe
    hook.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1688
      4⤵
      Program crash
      PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1576 -ip 1576
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

Virtualization/Sandbox Evasion

2

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service