Analysis
-
max time kernel
168s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 19:41
Static task
static1
Behavioral task
behavioral1
Sample
897303e62f34067b7edb75f929444ed6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
897303e62f34067b7edb75f929444ed6.exe
Resource
win10v2004-20231215-en
General
-
Target
897303e62f34067b7edb75f929444ed6.exe
-
Size
129KB
-
MD5
897303e62f34067b7edb75f929444ed6
-
SHA1
a820f0766a5c4bd125a4b0b0ec783671ec6070a4
-
SHA256
e212714f1c55366b39723720da6a795db5ff29d95f203735d85a1751f2436f0a
-
SHA512
58c7f123ef7d80dc9d632bcfaba4a4e984a715dade894ed4a85d1c495f0a29bd6d03b37282e000c7600f0532bc36680ba180217f8a9e3b6dd45503a6f468f845
-
SSDEEP
3072:b5ZCZ0hG1SLB+GVaGINYtwdW0aKFYqJh2K1GIvEWJN:bhhG1SLnVpy1o0HFY02Kt7J
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/869250023471349841/zBXtkkLlRrEs0swQ9kzBjY4PwllPQJQ0zFPuAvo_Cc85WP-KB4q8zFIxPGrV1esVOUXk
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
897303e62f34067b7edb75f929444ed6.exedescription pid process target process PID 5056 set thread context of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 1704 dw20.exe Token: SeBackupPrivilege 1704 dw20.exe Token: SeBackupPrivilege 1704 dw20.exe Token: SeBackupPrivilege 1704 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
897303e62f34067b7edb75f929444ed6.exevbc.exedescription pid process target process PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 5056 wrote to memory of 4880 5056 897303e62f34067b7edb75f929444ed6.exe vbc.exe PID 4880 wrote to memory of 1704 4880 vbc.exe dw20.exe PID 4880 wrote to memory of 1704 4880 vbc.exe dw20.exe PID 4880 wrote to memory of 1704 4880 vbc.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\897303e62f34067b7edb75f929444ed6.exe"C:\Users\Admin\AppData\Local\Temp\897303e62f34067b7edb75f929444ed6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4880
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7841⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1704