Analysis

  • max time kernel
    135s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 18:40

General

  • Target

    850b194b11c33c595a84f1e29c2f771f.exe

  • Size

    411KB

  • MD5

    850b194b11c33c595a84f1e29c2f771f

  • SHA1

    0ba67072d35d25ad340f13cadbe728ed7770f1e4

  • SHA256

    30a0e860e5edadad6650b561ab332d13b68bfe296c10871820cdc64b42c70f3e

  • SHA512

    6290c3d2ba7c40ae456f25615e96a3fce94bdaa98692f1faaed94830893de9cb1f70cb6ae43f531881e0b4c0cfe956648bfd26b74510ba5242fe441ef1929c9c

  • SSDEEP

    3072:Aq6+ouCpk2mpcWJ0r+QNTBfwiBTAQPqRKmgjPiumbxaf7tin3nNzeff2KVQ:Aldk1cWQRNTBYqPoTgjPYxW7w+VQ

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/870291367530737705/kitCWvdskV4mesZN15sftPzdN9h7p-Y0ANa240mBlgWkIh9632aLpUK7C0zdv_guqyVv

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe
    "C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\E456.tmp\E457.bat C:\Users\Admin\AppData\Local\Temp\850b194b11c33c595a84f1e29c2f771f.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\hook.exe
        hook.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1692
          4⤵
          • Program crash
          PID:4420
      • C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\hook_old.exe
        hook_old.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5064 -ip 5064
    1⤵
      PID:4320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\E456.tmp\E457.bat

      Filesize

      86B

      MD5

      5153e89314d7bf999dae46d5dd76757a

      SHA1

      e891fe0b00bbe19f8c52309001cf838b6d72c905

      SHA256

      f2b6508bab8c37969349a11b4dbb420e5d9c59596baab57892f8ced115e44a9c

      SHA512

      4eeb8449a82a953f6b09fccd19c856f47624788d34d7b67efbcaf398e8abc08cc2646c5dd29a2145fc36c199edd8e59bb6a3109b51b1941cdc2249d3e493f85f

    • C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\hook.exe

      Filesize

      8KB

      MD5

      6f6e4c7378b72a39304be541283fe240

      SHA1

      998d9fb26b469f83dfc53d069c2bfdb87084d70f

      SHA256

      d4151d291326af4254a3ce4dad5f4e05b31891bf7bb2a7ca4a0102a768c07a24

      SHA512

      1530420b4401f1e286c7a3568645fc292e0e2776eb00e44080f98c5f6c6fbd91b509b36f2a5ff36da0af8b1ca10cb9d8657e3807e924880c097d5da531ab4362

    • C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\hook_old.exe

      Filesize

      139KB

      MD5

      e43d7d4ef044c393418d7a4c7fb6bf08

      SHA1

      d0c6c79a25c460dd57e8ac77006a9bac583b8798

      SHA256

      5893f1da289eff760f03e44b79d224203ab284956e2d4bf8f36250ad0b82ffd7

      SHA512

      0fe8454d3848185278b51ef52b18440a8ebd0df991cc04d8bb4b817e2fdc32d116591b27a888cd043b3ab65b60f1aa6bcea1cf9d9cc3f8e94a85e30bedc5b868

    • memory/2600-27-0x00007FFB4AAF0000-0x00007FFB4B5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/2600-17-0x00007FFB4AAF0000-0x00007FFB4B5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/2600-18-0x000000001B610000-0x000000001B620000-memory.dmp

      Filesize

      64KB

    • memory/2600-15-0x00000000009D0000-0x00000000009F8000-memory.dmp

      Filesize

      160KB

    • memory/2600-28-0x00007FFB4AAF0000-0x00007FFB4B5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/5064-19-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB

    • memory/5064-20-0x0000000000570000-0x0000000000578000-memory.dmp

      Filesize

      32KB

    • memory/5064-26-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

      Filesize

      64KB

    • memory/5064-29-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB

    • memory/5064-30-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

      Filesize

      64KB

    • memory/5064-31-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB