Analysis

  • max time kernel
    168s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 19:41

General

  • Target

    897303e62f34067b7edb75f929444ed6.exe

  • Size

    129KB

  • MD5

    897303e62f34067b7edb75f929444ed6

  • SHA1

    a820f0766a5c4bd125a4b0b0ec783671ec6070a4

  • SHA256

    e212714f1c55366b39723720da6a795db5ff29d95f203735d85a1751f2436f0a

  • SHA512

    58c7f123ef7d80dc9d632bcfaba4a4e984a715dade894ed4a85d1c495f0a29bd6d03b37282e000c7600f0532bc36680ba180217f8a9e3b6dd45503a6f468f845

  • SSDEEP

    3072:b5ZCZ0hG1SLB+GVaGINYtwdW0aKFYqJh2K1GIvEWJN:bhhG1SLnVpy1o0HFY02Kt7J

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/869250023471349841/zBXtkkLlRrEs0swQ9kzBjY4PwllPQJQ0zFPuAvo_Cc85WP-KB4q8zFIxPGrV1esVOUXk

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\897303e62f34067b7edb75f929444ed6.exe
    "C:\Users\Admin\AppData\Local\Temp\897303e62f34067b7edb75f929444ed6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4880
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 784
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4880-3-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/4880-7-0x0000000000460000-0x0000000000470000-memory.dmp

    Filesize

    64KB

  • memory/4880-8-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB

  • memory/4880-6-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB

  • memory/4880-15-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB

  • memory/5056-0-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB

  • memory/5056-1-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB

  • memory/5056-2-0x0000000000C00000-0x0000000000C10000-memory.dmp

    Filesize

    64KB

  • memory/5056-5-0x0000000074FA0000-0x0000000075551000-memory.dmp

    Filesize

    5.7MB