Analysis

  • max time kernel
    118s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 18:40

General

  • Target

    850b194b11c33c595a84f1e29c2f771f.exe

  • Size

    411KB

  • MD5

    850b194b11c33c595a84f1e29c2f771f

  • SHA1

    0ba67072d35d25ad340f13cadbe728ed7770f1e4

  • SHA256

    30a0e860e5edadad6650b561ab332d13b68bfe296c10871820cdc64b42c70f3e

  • SHA512

    6290c3d2ba7c40ae456f25615e96a3fce94bdaa98692f1faaed94830893de9cb1f70cb6ae43f531881e0b4c0cfe956648bfd26b74510ba5242fe441ef1929c9c

  • SSDEEP

    3072:Aq6+ouCpk2mpcWJ0r+QNTBfwiBTAQPqRKmgjPiumbxaf7tin3nNzeff2KVQ:Aldk1cWQRNTBYqPoTgjPYxW7w+VQ

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/870291367530737705/kitCWvdskV4mesZN15sftPzdN9h7p-Y0ANa240mBlgWkIh9632aLpUK7C0zdv_guqyVv

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe
    "C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\696.tmp\697.tmp\698.bat C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3020
  • C:\Users\Admin\AppData\Local\Temp\696.tmp\hook_old.exe
    hook_old.exe
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2096 -s 1784
      2⤵
        PID:1440
    • C:\Users\Admin\AppData\Local\Temp\696.tmp\hook.exe
      hook.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1076
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\696.tmp\697.tmp\698.bat

      Filesize

      86B

      MD5

      5153e89314d7bf999dae46d5dd76757a

      SHA1

      e891fe0b00bbe19f8c52309001cf838b6d72c905

      SHA256

      f2b6508bab8c37969349a11b4dbb420e5d9c59596baab57892f8ced115e44a9c

      SHA512

      4eeb8449a82a953f6b09fccd19c856f47624788d34d7b67efbcaf398e8abc08cc2646c5dd29a2145fc36c199edd8e59bb6a3109b51b1941cdc2249d3e493f85f

    • C:\Users\Admin\AppData\Local\Temp\696.tmp\hook.exe

      Filesize

      8KB

      MD5

      6f6e4c7378b72a39304be541283fe240

      SHA1

      998d9fb26b469f83dfc53d069c2bfdb87084d70f

      SHA256

      d4151d291326af4254a3ce4dad5f4e05b31891bf7bb2a7ca4a0102a768c07a24

      SHA512

      1530420b4401f1e286c7a3568645fc292e0e2776eb00e44080f98c5f6c6fbd91b509b36f2a5ff36da0af8b1ca10cb9d8657e3807e924880c097d5da531ab4362

    • C:\Users\Admin\AppData\Local\Temp\696.tmp\hook_old.exe

      Filesize

      139KB

      MD5

      e43d7d4ef044c393418d7a4c7fb6bf08

      SHA1

      d0c6c79a25c460dd57e8ac77006a9bac583b8798

      SHA256

      5893f1da289eff760f03e44b79d224203ab284956e2d4bf8f36250ad0b82ffd7

      SHA512

      0fe8454d3848185278b51ef52b18440a8ebd0df991cc04d8bb4b817e2fdc32d116591b27a888cd043b3ab65b60f1aa6bcea1cf9d9cc3f8e94a85e30bedc5b868

    • memory/2076-15-0x0000000074220000-0x000000007490E000-memory.dmp

      Filesize

      6.9MB

    • memory/2076-13-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

      Filesize

      32KB

    • memory/2076-18-0x0000000004850000-0x0000000004890000-memory.dmp

      Filesize

      256KB

    • memory/2076-24-0x0000000074220000-0x000000007490E000-memory.dmp

      Filesize

      6.9MB

    • memory/2096-14-0x0000000000F20000-0x0000000000F48000-memory.dmp

      Filesize

      160KB

    • memory/2096-16-0x000000001AE60000-0x000000001AEE0000-memory.dmp

      Filesize

      512KB

    • memory/2096-17-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

      Filesize

      9.9MB

    • memory/2096-37-0x000000001AE60000-0x000000001AEE0000-memory.dmp

      Filesize

      512KB

    • memory/2096-38-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

      Filesize

      9.9MB