Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 16:58
Behavioral task
behavioral1
Sample
7e7fdda992ee5496837a3553b3fdf60a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7e7fdda992ee5496837a3553b3fdf60a.exe
Resource
win10v2004-20231215-en
General
-
Target
7e7fdda992ee5496837a3553b3fdf60a.exe
-
Size
41KB
-
MD5
7e7fdda992ee5496837a3553b3fdf60a
-
SHA1
7ca7c88288afbf541825127bfd6ea6e46ac0d21d
-
SHA256
9b7152d2053180c5d13f303ec815a437cc1d6f8d19a9cfb39e02741d7a3feab1
-
SHA512
99a28517118ee6df71e2ad609338d9b6f795ff5cd27ef65e8d0c9f71a2b1632c4edda02da1686bef06c47f1682b3245b03a796b6a7137fd63eeb0ac590c56fa9
-
SSDEEP
768:JscG4ApfT6aWpDXswAuZkexWTjQKZKfgm3EhNN:WcKfnWkexWTMF7E/N
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/868873062756548618/M7jr5VWJMFGIVUmSk7foumdHsHfjOS_MZWS_Pp_J4YkgYsVd8TPJU1URrMihfDokc1nl
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 7e7fdda992ee5496837a3553b3fdf60a.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools 7e7fdda992ee5496837a3553b3fdf60a.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7e7fdda992ee5496837a3553b3fdf60a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 7e7fdda992ee5496837a3553b3fdf60a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 7e7fdda992ee5496837a3553b3fdf60a.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S 7e7fdda992ee5496837a3553b3fdf60a.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation 7e7fdda992ee5496837a3553b3fdf60a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer 7e7fdda992ee5496837a3553b3fdf60a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName 7e7fdda992ee5496837a3553b3fdf60a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 7e7fdda992ee5496837a3553b3fdf60a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription pid process Token: SeDebugPrivilege 2028 7e7fdda992ee5496837a3553b3fdf60a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7e7fdda992ee5496837a3553b3fdf60a.exedescription pid process target process PID 2028 wrote to memory of 2776 2028 7e7fdda992ee5496837a3553b3fdf60a.exe WerFault.exe PID 2028 wrote to memory of 2776 2028 7e7fdda992ee5496837a3553b3fdf60a.exe WerFault.exe PID 2028 wrote to memory of 2776 2028 7e7fdda992ee5496837a3553b3fdf60a.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e7fdda992ee5496837a3553b3fdf60a.exe"C:\Users\Admin\AppData\Local\Temp\7e7fdda992ee5496837a3553b3fdf60a.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 10042⤵PID:2776