Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 11:41 UTC

General

  • Target

    bb2b2b0895756fd5142c988de1f5c84f.exe

  • Size

    41KB

  • MD5

    bb2b2b0895756fd5142c988de1f5c84f

  • SHA1

    7494cf710fa922192791cc5a889b8cc9706bc0b3

  • SHA256

    ce173fa07b33e16818072aab8b20a82421a15b94ad5229ef67e68a756d866d33

  • SHA512

    029e6719bbbb3f883c01851635b91f92796b0ca1f79db6c570e36b932bc4b04d57dbcc3cba12fa27ba9b90baf48f1f3df52f73a5d052db66487352ab79ae2aa8

  • SSDEEP

    768:pscG4ApfT6ahzpDXswIuZkewWTjnKZKfgm3EhUl:2cKfnhz8ewWTTF7ESl

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/881135031840555018/Cwpb3LuVEmAT77ddMGaTm5KWYLsGcH82bCQYdFdnlYu0Cesq7tUcYPID937LwEyUJUdI

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb2b2b0895756fd5142c988de1f5c84f.exe
    "C:\Users\Admin\AppData\Local\Temp\bb2b2b0895756fd5142c988de1f5c84f.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3012 -s 1732
      2⤵
        PID:2776

    Network

    • flag-us
      DNS
      ip4.seeip.org
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      8.8.8.8:53
      Request
      ip4.seeip.org
      IN A
      Response
      ip4.seeip.org
      IN A
      23.128.64.141
    • flag-us
      DNS
      apps.identrust.com
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.identrust.com
      IN A
      Response
      apps.identrust.com
      IN CNAME
      identrust.edgesuite.net
      identrust.edgesuite.net
      IN CNAME
      a1952.dscq.akamai.net
      a1952.dscq.akamai.net
      IN A
      96.17.179.205
      a1952.dscq.akamai.net
      IN A
      96.17.179.184
    • flag-gb
      GET
      http://apps.identrust.com/roots/dstrootcax3.p7c
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      96.17.179.205:80
      Request
      GET /roots/dstrootcax3.p7c HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: apps.identrust.com
      Response
      HTTP/1.1 200 OK
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      X-Robots-Tag: noindex
      Referrer-Policy: same-origin
      Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
      ETag: "37d-6079b8c0929c0"
      Accept-Ranges: bytes
      Content-Length: 893
      X-Content-Type-Options: nosniff
      X-Frame-Options: sameorigin
      Content-Type: application/pkcs7-mime
      Cache-Control: max-age=3600
      Expires: Fri, 08 Mar 2024 12:41:11 GMT
      Date: Fri, 08 Mar 2024 11:41:11 GMT
      Connection: keep-alive
    • flag-us
      DNS
      ip-api.com
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com//json/
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      208.95.112.1:80
      Request
      GET //json/ HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 08 Mar 2024 11:41:11 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 313
      Access-Control-Allow-Origin: *
      X-Ttl: 55
      X-Rl: 43
    • flag-us
      DNS
      discord.com
      bb2b2b0895756fd5142c988de1f5c84f.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.135.232
      discord.com
      IN A
      162.159.137.232
      discord.com
      IN A
      162.159.138.232
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.136.232
    • 23.128.64.141:443
      ip4.seeip.org
      tls
      bb2b2b0895756fd5142c988de1f5c84f.exe
      659 B
      4.9kB
      9
      9
    • 96.17.179.205:80
      http://apps.identrust.com/roots/dstrootcax3.p7c
      http
      bb2b2b0895756fd5142c988de1f5c84f.exe
      323 B
      1.6kB
      4
      4

      HTTP Request

      GET http://apps.identrust.com/roots/dstrootcax3.p7c

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com//json/
      http
      bb2b2b0895756fd5142c988de1f5c84f.exe
      296 B
      622 B
      5
      3

      HTTP Request

      GET http://ip-api.com//json/

      HTTP Response

      200
    • 162.159.135.232:443
      discord.com
      tls
      bb2b2b0895756fd5142c988de1f5c84f.exe
      345 B
      219 B
      5
      5
    • 162.159.135.232:443
      discord.com
      tls
      bb2b2b0895756fd5142c988de1f5c84f.exe
      345 B
      219 B
      5
      5
    • 8.8.8.8:53
      ip4.seeip.org
      dns
      bb2b2b0895756fd5142c988de1f5c84f.exe
      59 B
      75 B
      1
      1

      DNS Request

      ip4.seeip.org

      DNS Response

      23.128.64.141

    • 8.8.8.8:53
      apps.identrust.com
      dns
      bb2b2b0895756fd5142c988de1f5c84f.exe
      64 B
      165 B
      1
      1

      DNS Request

      apps.identrust.com

      DNS Response

      96.17.179.205
      96.17.179.184

    • 8.8.8.8:53
      ip-api.com
      dns
      bb2b2b0895756fd5142c988de1f5c84f.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      discord.com
      dns
      bb2b2b0895756fd5142c988de1f5c84f.exe
      57 B
      137 B
      1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.135.232
      162.159.137.232
      162.159.138.232
      162.159.128.233
      162.159.136.232

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      5ba6f6aad20a8b7ac347c8daef4b9b84

      SHA1

      c6909c359e6f602bee63f16d989c9eab46169c07

      SHA256

      13b4d44b6225d4aaef4cf7aee355b96ee292edff111c28e478e5fc456a43a470

      SHA512

      1c4ef89e388f2fd80564a7f4aee362485ea6b8b0a4a2514e572930f12547e3b877e479fcdaf7eb99eb5c3629466a5a6f0bc11a501270a4af60cba1cedcdb271e

    • C:\Users\Admin\AppData\Local\Temp\Cab62AB.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar6467.tmp

      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    • memory/3012-0-0x00000000012B0000-0x00000000012C0000-memory.dmp

      Filesize

      64KB

    • memory/3012-1-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

      Filesize

      9.9MB

    • memory/3012-2-0x000000001ADD0000-0x000000001AE50000-memory.dmp

      Filesize

      512KB

    • memory/3012-80-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

      Filesize

      9.9MB

    • memory/3012-81-0x000000001ADD0000-0x000000001AE50000-memory.dmp

      Filesize

      512KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.