Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 11:41

General

  • Target

    bb2b2b0895756fd5142c988de1f5c84f.exe

  • Size

    41KB

  • MD5

    bb2b2b0895756fd5142c988de1f5c84f

  • SHA1

    7494cf710fa922192791cc5a889b8cc9706bc0b3

  • SHA256

    ce173fa07b33e16818072aab8b20a82421a15b94ad5229ef67e68a756d866d33

  • SHA512

    029e6719bbbb3f883c01851635b91f92796b0ca1f79db6c570e36b932bc4b04d57dbcc3cba12fa27ba9b90baf48f1f3df52f73a5d052db66487352ab79ae2aa8

  • SSDEEP

    768:pscG4ApfT6ahzpDXswIuZkewWTjnKZKfgm3EhUl:2cKfnhz8ewWTTF7ESl

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/881135031840555018/Cwpb3LuVEmAT77ddMGaTm5KWYLsGcH82bCQYdFdnlYu0Cesq7tUcYPID937LwEyUJUdI

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb2b2b0895756fd5142c988de1f5c84f.exe
    "C:\Users\Admin\AppData\Local\Temp\bb2b2b0895756fd5142c988de1f5c84f.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3012 -s 1732
      2⤵
        PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      5ba6f6aad20a8b7ac347c8daef4b9b84

      SHA1

      c6909c359e6f602bee63f16d989c9eab46169c07

      SHA256

      13b4d44b6225d4aaef4cf7aee355b96ee292edff111c28e478e5fc456a43a470

      SHA512

      1c4ef89e388f2fd80564a7f4aee362485ea6b8b0a4a2514e572930f12547e3b877e479fcdaf7eb99eb5c3629466a5a6f0bc11a501270a4af60cba1cedcdb271e

    • C:\Users\Admin\AppData\Local\Temp\Cab62AB.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar6467.tmp

      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    • memory/3012-0-0x00000000012B0000-0x00000000012C0000-memory.dmp

      Filesize

      64KB

    • memory/3012-1-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

      Filesize

      9.9MB

    • memory/3012-2-0x000000001ADD0000-0x000000001AE50000-memory.dmp

      Filesize

      512KB

    • memory/3012-80-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

      Filesize

      9.9MB

    • memory/3012-81-0x000000001ADD0000-0x000000001AE50000-memory.dmp

      Filesize

      512KB